@inproceedings{tan-etal-2025-revprag,
    title = "{R}ev{PRAG}: Revealing Poisoning Attacks in Retrieval-Augmented Generation through {LLM} Activation Analysis",
    author = "Tan, Xue  and
      Luan, Hao  and
      Luo, Mingyu  and
      Sun, Xiaoyan  and
      Chen, Ping  and
      Dai, Jun",
    editor = "Christodoulopoulos, Christos  and
      Chakraborty, Tanmoy  and
      Rose, Carolyn  and
      Peng, Violet",
    booktitle = "Findings of the Association for Computational Linguistics: EMNLP 2025",
    month = nov,
    year = "2025",
    address = "Suzhou, China",
    publisher = "Association for Computational Linguistics",
    url = "https://preview.aclanthology.org/author-page-yu-wang-polytechnic/2025.findings-emnlp.698/",
    doi = "10.18653/v1/2025.findings-emnlp.698",
    pages = "12999--13011",
    ISBN = "979-8-89176-335-7",
    abstract = "Retrieval-Augmented Generation (RAG) enriches the input to LLMs by retrieving information from the relevant knowledge database, enabling them to produce responses that are more accurate and contextually appropriate. It is worth noting that the knowledge database, being sourced from publicly available channels such as Wikipedia, inevitably introduces a new attack surface. RAG poisoning attack involves injecting malicious texts into the knowledge database, ultimately leading to the generation of the attacker{'}s target response (also called poisoned response). However, there are currently limited methods available for detecting such poisoning attacks. We aim to bridge the gap in this work by introducing RevPRAG, a flexible and automated detection pipeline that leverages the activations of LLMs for poisoned response detection. Our investigation uncovers distinct patterns in LLMs' activations when generating poisoned responses versus correct responses. Our results on multiple benchmarks and RAG architectures show our approach can achieve a 98{\%} true positive rate, while maintaining a false positive rate close to 1{\%}."
}