LogicPoison: Logical Attacks on Graph Retrieval-Augmented Generation
Summary: arXiv:2604.02954v1 Announce Type: cross
Abstract: Graph-based Retrieval-Augmented Generation (GraphRAG) enhances the reasoning capabilities of Large Language Models (LLMs) by grounding their responses in structured knowledge graphs. Leveraging community detection and relation filtering techniques, GraphRAG systems demonstrate inherent resistance to traditional RAG attacks, such as text poisoning and prompt injection. However, in this paper, we find that the security of GraphRAG systems fundamentally relies on the topological integrity of the underlying graph, which can be undermined by implicitly corrupting the logical connections, without altering surface-level text semantics.
To exploit this vulnerability, we propose LogicPoison, a novel attack framework that targets logical reasoning rather than injecting false contents. Specifically, LogicPoison employs a type-preserving entity swapping mechanism to perturb both global logic hubs for disrupting overall graph connectivity and query-specific reasoning bridges for severing essential multi-hop inference paths. This approach effectively reroutes valid reasoning into dead ends while maintaining surface-level textual plausibility.
Comprehensive experiments across multiple benchmarks demonstrate that LogicPoison successfully bypasses GraphRAG’s defenses, significantly degrading performance and outperforming state-of-the-art baselines in both effectiveness and stealth. Our code is available at https://github.com/Jord8061/logicPoison.
Introduction
Recent advancements in Large Language Models (LLMs) have highlighted the importance of integrating structured knowledge into their reasoning processes. GraphRAG systems utilize knowledge graphs to enhance the context and accuracy of generated responses. However, as these systems evolve, so do the methods of attack targeting their vulnerabilities.
The Threat of LogicPoison
LogicPoison introduces a new dimension of threat that focuses on the logical structure of knowledge graphs rather than the textual content itself. This attack method is particularly concerning for several reasons:
- Maintaining Plausibility: LogicPoison ensures that the textual output remains plausible, making it difficult for human reviewers and traditional detection systems to identify the manipulation.
- Targeted Disruption: By specifically targeting logical connections within the graph, LogicPoison can effectively disrupt multi-hop reasoning, a crucial aspect of complex query responses.
- Versatile Application: The attack framework can be adapted to various types of knowledge graphs, making it a versatile tool for adversaries.
Conclusion
As the field of AI continues to grow, understanding and mitigating new forms of attacks like LogicPoison is essential. The findings presented in this study underline the importance of not only enhancing the surface-level defenses of GraphRAG systems but also ensuring the robustness of the underlying logical structures. Future research must focus on developing countermeasures that can detect and neutralize such logical attacks, ensuring the integrity and reliability of AI systems in practical applications.