PoisonedEye: Knowledge Poisoning Attack on Retrieval-Augmented Generation based Large Vision-Language Models
Authors: Chenyang Zhang, Xiaoyu Zhang, Jian Lou, Kai Wu, Zilong Wang, Xiaofeng Chen
ICML 2025 | Venue PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | Extensive experiments on multiple query datasets, retrievers, and LVLMs demonstrate that our attack is highly effective in compromising VLRAG systems. We conduct extensive experiments on multiple query datasets, retrievers, and LVLMs to demonstrate the effectiveness of our attack. Additionally, we conduct ablation studies to further evaluate the robustness of our attack. |
| Researcher Affiliation | Academia | 1State Key Laboratory of ISN, Xidian University, Xi an, Shaanxi, China. 2Key Laboratory of Data and Intelligent System Security Ministry of Education, China. 3School of Software Engineering, Sun Yat-sen University, Guangzhou, Guangdong, China. 4School of Artificial Intelligence, Xidian University, Xi an, Shaanxi, China. |
| Pseudocode | Yes | Algorithm 1 Single Query Targeted Attack. Algorithm 2 Class Query Targeted Attack. |
| Open Source Code | No | The paper does not provide any specific link to source code or an explicit statement about releasing their implementation code. |
| Open Datasets | Yes | Knowledge Database. We utilize OVEN-Wiki (Hu et al., 2023a) as our vision-language knowledge database. OVEN-Wiki is a vision-language dataset composed of 6M Wikipedia entities. Therefore, we employ image classification datasets including Image Net-1k (Russakovsky et al., 2015), Places-365 (Zhou et al., 2017), and Country-211 (Radford et al., 2021). |
| Dataset Splits | Yes | We randomly select images from the dataset as target images and formulate the query text based on the task associated with each dataset (in Appendix H). In evaluation, images from the same class as the target image will be utilized as the user input. We evaluate our attack on all classes, and randomly select 10 samples from each class for evaluation. |
| Hardware Specification | No | The paper does not provide specific hardware details (e.g., GPU/CPU models, memory) used for running its experiments. |
| Software Dependencies | Yes | For retrievers, we employ pre-trained CLIP Vi T-H (Cherti et al., 2023) and Siglip-so400m (Zhai et al., 2023). For LVLMs, we utilize off-the-shelf LLa VA-v1.6-Mistral-7B (Liu et al., 2024b) and Qwen2-VL-7B-Instruct (Wang et al., 2024) models in our experiments. Besides, we apply FAISS (Douze et al., 2024) to store and index the database for faster retrieval. |
| Experiment Setup | Yes | Hyper-parameters. We set retrieval number K = 3, generation steps s = 100, step length α = 0.01, perturbation bound ϵ = 16, number of images the attacker collected H = 30, attacker s target response rt as I don t know . |