{"id":14043894,"url":"https://github.com/sleeepeer/PoisonedRAG","last_synced_at":"2025-07-27T15:32:03.517Z","repository":{"id":222236375,"uuid":"754941867","full_name":"sleeepeer/PoisonedRAG","owner":"sleeepeer","description":"[USENIX Security 2025] PoisonedRAG: Knowledge Corruption Attacks to Retrieval-Augmented Generation of Large Language Models","archived":false,"fork":false,"pushed_at":"2024-09-13T18:57:14.000Z","size":15543,"stargazers_count":59,"open_issues_count":1,"forks_count":6,"subscribers_count":2,"default_branch":"main","last_synced_at":"2024-09-14T09:35:02.218Z","etag":null,"topics":["ai","machine-learning","rag","retrieval-augmented-generation","security","trustworthy-ai"],"latest_commit_sha":null,"homepage":"https://arxiv.org/abs/2402.07867","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sleeepeer.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-02-09T04:25:56.000Z","updated_at":"2024-09-14T07:33:39.000Z","dependencies_parsed_at":"2024-09-14T09:20:03.004Z","dependency_job_id":null,"html_url":"https://github.com/sleeepeer/PoisonedRAG","commit_stats":null,"previous_names":["sleeepeer/poisonedrag"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sleeepeer%2FPoisonedRAG","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sleeepeer%2FPoisonedRAG/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sleeepeer%2FPoisonedRAG/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sleeepeer%2FPoisonedRAG/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sleeepeer","download_url":"https://codeload.github.com/sleeepeer/PoisonedRAG/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":227814479,"owners_count":17823909,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ai","machine-learning","rag","retrieval-augmented-generation","security","trustworthy-ai"],"created_at":"2024-08-12T08:06:36.991Z","updated_at":"2025-07-27T15:32:03.511Z","avatar_url":"https://github.com/sleeepeer.png","language":"Python","funding_links":[],"categories":["Data-Poisoning","RAG Security","Vulnerabilities \u0026 Attack Vectors"],"sub_categories":["RAG \u0026 Training Data Poisoning"],"readme":"# PoisonedRAG\n\nOfficial repo of [USENIX Security 2025](https://www.usenix.org/conference/usenixsecurity25) paper: [PoisonedRAG: Knowledge Corruption Attacks to Retrieval-Augmented Generation of Large Language Models](https://arxiv.org/abs/2402.07867).\n\nThe first knowledge database corruption attack against Retrievals-Augmented Generation (RAG) system.\n\n## 🚀 News\n🎉 Jun 20, 2024: **PoisonedRAG gets accepted to [USENIX Security 2025](https://www.usenix.org/conference/usenixsecurity25)!**\n\n🔥 Apr 20, 2024: **If you have any question or need other code or data, feel free to open an issue or email us!**\n\n![Illustration of PoisonedRAG](PoisonedRAG.png \"Illustration of PoisonedRAG\")\n\n## 🔍 Quick Usage\n\n### 📃 Setup environment\n\n```bash\nconda create -n PoisonedRAG python=3.10\n```\n```bash\nconda activate PoisonedRAG\n```\n```bash\npip install beir openai google-generativeai\npip install torch==1.13.0+cu117 torchvision==0.14.0+cu117 torchaudio==0.13.0 --extra-index-url https://download.pytorch.org/whl/cu117\npip install --upgrade charset-normalizer\npip3 install \"fschat[model_worker,webui]\"\n```\n\n### 💽 Dataset (optional, suggested)\n\nWhen running our code, the datasets will be automatically downloaded and saved in `datasets`. You could also run this line to manually download datasets.\n\n```bash\npython prepare_dataset.py\n```\n\n### 🔑 Set API key\n\nIf you want to use PaLM 2, GPT-3.5, GPT-4 or LLaMA-2, please enter your api key in **model_configs** folder.\n\nFor LLaMA-2, the api key is your **HuggingFace Access Tokens**. You could visit [LLaMA-2's HuggingFace Page](https://huggingface.co/meta-llama/Llama-2-7b-chat-hf) first if you don't have the access token.\n\nHere is an example:\n\n```json\n\"api_key_info\":{\n    \"api_keys\":[\n        \"Your api key here\"\n    ],\n    \"api_key_use\": 0\n},\n```\n\n### 📝 Reproduce our results\n \nThere are some hyperparameters in **run.py** such as LLMs and datasets:\n\n**Note:** Currently we provide default setting for main results in our [paper](https://arxiv.org/abs/2402.07867). We will update and complete other settings later.\n\n```python\ntest_params = {\n    # beir_info\n    'eval_model_code': \"contriever\",\n    'eval_dataset': \"nq\",            # nq, hotpotqa, msmarco\n    'split': \"test\",\n    'query_results_dir': 'main',\n\n    # LLM setting\n    'model_name': 'palm2',           # palm2, gpt3.5, gpt4, llama(7b|13b), vicuna(7b|13b|33b)\n    'use_truth': False,\n    'top_k': 5,\n    'gpu_id': 0,\n\n    # attack\n    'attack_method': 'LM_targeted',  # LM_targeted (black-box), hotflip (white-box)\n    'adv_per_query': 5,\n    'score_function': 'dot',\n    'repeat_times': 10,\n    'M': 10,\n    'seed': 12,\n\n    'note': None\n}\n```\n\nExecute **run.py** to reproduce experiments.\n\n```bash\npython run.py\n```\n\n### 🐱 Your own dataset\nIf you want to perform experiments on your own dataset, you could refer to **evaluate_beir.py**, prepare your dataset as the beir format and use this file to compute the retrieval scores.\n\n## Acknowledgement\n\n* Our code used the implementation of [corpus-poisoning](https://github.com/princeton-nlp/corpus-poisoning).\n* The model part of our code is from [Open-Prompt-Injection](https://github.com/liu00222/Open-Prompt-Injection).\n* Our code used [beir](https://github.com/beir-cellar/beir) benchmark.\n* Our code used [contriever](https://github.com/facebookresearch/contriever) for retrieval augmented generation (RAG).\n\n\n\n## Citation\n\nIf you use this code, please cite the following [paper](https://arxiv.org/abs/2402.07867):\n\n```tex\n@article{zou2024poisonedrag,\n  title={Poisonedrag: Knowledge corruption attacks to retrieval-augmented generation of large language models},\n  author={Zou, Wei and Geng, Runpeng and Wang, Binghui and Jia, Jinyuan},\n  journal={arXiv preprint arXiv:2402.07867},\n  year={2024}\n}\n```\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsleeepeer%2FPoisonedRAG","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsleeepeer%2FPoisonedRAG","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsleeepeer%2FPoisonedRAG/lists"}