Security Protection for Retrieval-Augmented Generation: A Systematic Review of Attacks, Defenses, and Future Directions

This article focuses on the security issues of Retrieval-Augmented Generation (RAG). The core viewpoint is that the essence of RAG security is the safety of the external knowledge access pipeline. The article establishes operational boundaries to distinguish between inherent LLM risks and RAG-specific risks, systematically organizes attack and defense techniques across the six stages of the RAG workflow, three trust boundaries, and four main attack surfaces, and proposes directions for layered, boundary-aware full-lifecycle protection as well as practical recommendations for developers.

The Rise of RAG

Retrieval-Augmented Generation (RAG) mitigates LLM hallucination issues by introducing external knowledge bases and has been widely applied in scenarios such as question answering, document analysis, and code assistance.

Security Concerns

RAG expands the attack surface: malicious retrieval content can manipulate model outputs, sensitive information may be leaked, knowledge bases are vulnerable to being attack targets, and critical business systems are threatened.

Research Confusion

Existing research often confuses inherent LLM risks (prompt injection, jailbreaking, etc.) with RAG-specific risks, leading to lack of targeted defenses, incomplete evaluations, and inconsistent research frameworks.

Six Workflow Stages

1. Knowledge Acquisition: Data source credibility and quality challenges
2. Knowledge Processing: Tampering risks in preprocessing steps like parsing, chunking, and embedding
3. Index Construction: Index integrity affects retrieval credibility
4. Query Processing: Primary target of prompt injection attacks
5. Retrieval Execution: Key link for attacks like poisoning and access control bypass
6. Generation Integration: Risks of context manipulation and information leakage

Three Trust Boundaries

• External Boundary: Separates untrusted environments from the system interior
• Processing Boundary: Separates raw data from processed knowledge
• Generation Boundary: Separates retrieval results from LLM-generated content

Four Attack Surfaces

1. Pre-retrieval Knowledge Contamination
2. Access Manipulation During Retrieval
3. Downstream Context Exploitation
4. Knowledge Leakage

Attack Techniques

• Knowledge Contamination: Data poisoning, backdoor attacks, supply chain attacks
• Access Manipulation: Adversarial queries, retrieval algorithm attacks, privilege escalation
• Context Exploitation: Prompt injection, context overflow, multi-round attacks
• Knowledge Leakage: Membership inference, attribute inference, model extraction

Current State of Defense Mechanisms

• Input Validation and Cleaning: Source verification, content review
• Robust Retrieval Algorithms: Authenticated nearest neighbor search
• Context Isolation and Filtering: Validation during the generation phase
• Access Control and Auditing: Fine-grained permissions + operation logs
• Differential Privacy: Adding noise to prevent sensitive information inference

Current Deficiencies in Defense

• High Reactivity: Designed for known attacks
• Fragmentation: Lack of coordination among defense measures

Core Conclusion

The essence of RAG security is the safety of the knowledge access pipeline; defenses need to focus on pipeline links.

Future Research Directions

1. Layered Defense Architecture: Deploy protection at each trust boundary
2. Boundary-Aware Design: Strong boundary validation + principle of least privilege
3. Full-Lifecycle Protection: Cover all six workflow stages
4. Proactive Threat Intelligence: Early warning of new attacks
5. Standardized Evaluation Benchmarks: Unified scenarios and mechanisms

1. Clarify Trust Boundaries: Implement strong validation at each boundary; do not assume any input is trustworthy
2. Defense-in-Depth: Do not rely on a single mechanism; add additional checks during the generation phase
3. Comprehensive Audit Logs: Record knowledge base changes, retrieval queries, and generated outputs
4. Continuous Updates: Follow security research progress and iterate defense measures in a timely manner