PoisonedEar: Research on Knowledge Poisoning Attacks Against Audio RAG Systems

The PoisonedEar project targets the security blind spots of multimodal RAG systems and systematically studies knowledge poisoning attacks against audio-centric language models. This research demonstrates how attackers can manipulate RAG system outputs by contaminating audio content in the knowledge base, and proposes corresponding defense strategies, which have important implications for the field of multimodal AI security.

Retrieval-Augmented Generation (RAG) technology mitigates model hallucination and knowledge timeliness issues, but introduces an attack surface for knowledge base contamination. Existing RAG security research mostly focuses on the text domain, while security research on multimodal RAG (such as audio-centric language models) lags behind. Audio-centric language models, with large language models as their core, have audio understanding capabilities and are applied in smart home, in-vehicle systems, and other fields. Their RAG systems need to handle multiple links such as audio semantic extraction, which presents new attack entry points.

PoisonedEar constructs a complete knowledge poisoning attack framework. The core idea is to inject carefully crafted malicious audio into the knowledge base, so that the system generates answers based on false information after retrieval. The technical challenges faced by the attack include: complex audio semantic understanding, which requires ensuring that the malicious audio's semantics are relevant to the target query but misleading in content; and the need to understand the characteristics of cross-modal embedding models to construct effective attack samples.

PoisonedEar adopts multiple attack strategies: 1. Steganography: Encode malicious instructions in normal audio, which are harmless to humans but have specific semantics for models; 2. Adversarial sample generation: Optimize audio embeddings to be close to the target query vector, but produce incorrect information after decoding; 3. Persistence considerations: Construct generalized attack samples or design self-propagating content to ensure that malicious content remains influential after knowledge base updates.

In response to PoisonedEar attacks, the research proposes defense recommendations: 1. Knowledge base audit: Automated detection of abnormal audio patterns + manual sampling inspection; 2. Retrieval result verification: Cross-verify the consistency of multiple related audio segments; 3. Multimodal consistency check: Compare the differences between audio transcription text and embedded semantic representations; 4. Dynamic monitoring: Detect abnormal retrieval patterns and trigger security alerts.

PoisonedEar reveals the unique vulnerabilities of multimodal RAG—cross-modal retrieval introduces new attack vectors, and traditional text protection cannot be directly migrated; it demonstrates combined attack methods such as adversarial samples and steganography; it reminds us to expand the vision of security research and examine the security of the data supply chain (knowledge base construction, update and maintenance).

PoisonedEar discloses vulnerabilities in a responsible manner, which is crucial to the healthy development of technology. Teams developing or deploying audio RAG systems should assess risks and take protective measures. Security is not an obstacle to development, but the cornerstone of sustainable development.