Xiaokun Yang, Yesheng Liu, Xin Xiong, Jian Liang, Ran He, Tieniu Tan — Forty-third International Conference on Machine Learning (ICML 2026). Also appeared in the ICLR 2026 review cycle on OpenReview (openreview.net/forum?id=hY720JSxOG). Verified via the ICML 2026 poster page (icml.cc/virtual/2026/poster/63324).
Core Contribution
Standard story in RAG security: poison the corpus so a target query retrieves attacker text and the generator emits the attacker’s answer. Standard mitigation hope: add a reranker after the dense/sparse retriever. This paper’s first result is uncomfortable — a reranker fine-tuned only on benign, in-domain documents (no adversarial training) already filters a lot of existing poisons. The second result is the red-team reply: rerankers have systematic blind spots, and those blind spots can be exploited. They distill prompt-design principles for hitting those blind spots, then instantiate P³A (Prompt-Perturbation Poisoning Attack) — rule-based poisoned drafts plus tiny character-level perturbations (~1% textual change) that boost reranker rank while preserving adversarial payload. Strong transfer to vanilla (no-reranker) RAG; works even under a single-document poison budget.
Method
Threat model (as stated)
- Attacker can inject (or edit) documents in the RAG knowledge corpus.
- Goal: for chosen queries, poisoned docs survive retrieval and reranking, then steer generation.
- Defender may deploy a reranker trained on clean in-domain data — i.e., the realistic “we added a reranker for quality” deployment, not an adversarially hardened one.
Phase 0 — diagnosis: why naive poisons die at the reranker
They treat the reranker as a filter with blind spots: features or prompt patterns that look high-quality / on-distribution to a benign-trained reranker while still carrying an adversarial generation payload. The methodological output of this phase is a set of practical prompt-design principles (explicit rules for crafting candidate poisons that evade filtering). Exact principle list is PDF-bound; the abstract’s claim is that these principles are concluded from analysis of where benign rerankers fail, not guessed.
Phase 1 — rule-based prompt engineering (draft poison)
Using those principles, construct initial poisoned documents via rule-based prompt engineering (templates / constraints / stylistic rules — not yet gradient optimization). Goal of this draft: already partially evade reranker filtering while satisfying the usual RAG-poison dual requirements:
- Retrieval condition — high similarity / lexical overlap so the doc enters the retriever’s top-\(K\).
- Generation condition — once in context, steers the LLM toward the attacker’s target answer.
Phase 2 — character-level perturbation (reranker promotion)
Inject subtle character-level perturbations into the draft (~1% of characters changed). Design goals stated in the abstract:
- Promote ranking under the reranker (perturbations are chosen for reranker score, not human readability alone).
- Preserve adversarial effectiveness (payload still triggers the target generation behavior).
- Remain natural and readable (small edit rate so the doc doesn’t look like obvious adversarial noise).
This is the distinctive methodological move relative to PoisonedRAG-style pipeline attacks that optimize retrieval+generation conditions without a reranker-in-the-loop promotion stage.
Transfer / budget settings
- Evaluated against reranker-enhanced RAG (primary) and shown to transfer to vanilla RAG.
- Effective even when constrained to poisoning a single document — important for realistic attacker budgets.
Dataset / evaluation protocol
The public abstract says “extensive experiments” and “strong attack effectiveness and transferability” but does not name the QA corpora, retrievers, rerankers, or generator LLMs. In this literature the default evaluation stack is usually:
| Component | Typical choices in RAG-poison papers (not yet confirmed for P³A) |
|---|---|
| QA / corpus benchmarks | Natural Questions (NQ), HotpotQA, MS MARCO (Wikipedia- or web-scale corpora, millions of passages) |
| Retrievers | Contriever / DPR / other dense dual-encoders; sometimes BM25 |
| Rerankers | Cross-encoder rerankers fine-tuned on in-domain pairs |
| Generators | Instruct LLMs of varying size |
| Metrics | Attack success rate (target answer emitted), retrieval hit rate @K, reranker rank of poison, sometimes clean-task utility |
Flag: until PDF grounding, do not cite P³A-specific ASR numbers or claim NQ/HotpotQA as their datasets — only as the field’s usual testbeds. What is confirmed: single-doc budget, ~1% character perturbation, benign-only reranker fine-tuning as the defense setting, transfer to vanilla RAG, code in supplementary.
Limitations
- Corpus-poisoning success is the metric; no analysis of refusal circuits, quantization, or multilingual retrieval.
- Character-level perturbations may be partially mitigated by normalization (Unicode folding, spell-correction) that production pipelines sometimes apply before indexing — robustness to those defenses needs the paper’s ablation section.
- “Benign in-domain reranker” is a specific defense; results may not extrapolate to adversarially trained or ensemble rerankers.
Relevance to My Niche
Broad red-teaming / landscape, not a core quantization×multilingual anchor. Useful as (1) a reminder that defense layers that look free (benign rerankers) still induce a new attack surface, and (2) a concrete example of two-phase attack design (structure the payload, then optimize a small stealth edit) that parallels how I’d want to think about linguistically triggered compression attacks — craft the semantic trigger, then search a small perturbation in the “deployment transform” (here reranking; there quantization). Table candidate for the survey; loose touch to Direction 3 only if you squint at corpus integrity as an attribution/provenance problem.