{"id":"https://openalex.org/W4416549407","doi":"https://doi.org/10.1145/3719027.3744840","title":"Riddle Me This! Stealthy Membership Inference for Retrieval-Augmented Generation","display_name":"Riddle Me This! Stealthy Membership Inference for Retrieval-Augmented Generation","publication_year":2025,"publication_date":"2025-11-19","ids":{"openalex":"https://openalex.org/W4416549407","doi":"https://doi.org/10.1145/3719027.3744840"},"language":null,"primary_location":{"id":"doi:10.1145/3719027.3744840","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3719027.3744840","pdf_url":null,"source":null,"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":true,"oa_status":"gold","oa_url":"https://doi.org/10.1145/3719027.3744840","any_repository_has_fulltext":null},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5056428623","display_name":"Ali Naseh","orcid":"https://orcid.org/0009-0009-7423-6538"},"institutions":[{"id":"https://openalex.org/I24603500","display_name":"University of Massachusetts Amherst","ror":"https://ror.org/0072zz521","country_code":"US","type":"education","lineage":["https://openalex.org/I24603500"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Ali Naseh","raw_affiliation_strings":["University of Massachusetts Amherst, Amherst, MA, USA"],"raw_orcid":"https://orcid.org/0009-0009-7423-6538","affiliations":[{"raw_affiliation_string":"University of Massachusetts Amherst, Amherst, MA, USA","institution_ids":["https://openalex.org/I24603500"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5111144605","display_name":"Yuefeng Peng","orcid":"https://orcid.org/0009-0000-1551-0642"},"institutions":[{"id":"https://openalex.org/I24603500","display_name":"University of Massachusetts Amherst","ror":"https://ror.org/0072zz521","country_code":"US","type":"education","lineage":["https://openalex.org/I24603500"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Yuefeng Peng","raw_affiliation_strings":["University of Massachusetts Amherst, Amherst, MA, USA"],"raw_orcid":"https://orcid.org/0009-0000-1551-0642","affiliations":[{"raw_affiliation_string":"University of Massachusetts Amherst, Amherst, MA, USA","institution_ids":["https://openalex.org/I24603500"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5028439718","display_name":"Anshuman Suri","orcid":"https://orcid.org/0000-0003-4846-0797"},"institutions":[{"id":"https://openalex.org/I12912129","display_name":"Northeastern University","ror":"https://ror.org/04t5xt781","country_code":"US","type":"education","lineage":["https://openalex.org/I12912129"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Anshuman Suri","raw_affiliation_strings":["Northeastern University, Boston, MA, USA"],"raw_orcid":"https://orcid.org/0000-0003-4846-0797","affiliations":[{"raw_affiliation_string":"Northeastern University, Boston, MA, USA","institution_ids":["https://openalex.org/I12912129"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5045507972","display_name":"Harsh Chaudhari","orcid":"https://orcid.org/0009-0000-3269-5685"},"institutions":[{"id":"https://openalex.org/I12912129","display_name":"Northeastern University","ror":"https://ror.org/04t5xt781","country_code":"US","type":"education","lineage":["https://openalex.org/I12912129"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Harsh Chaudhari","raw_affiliation_strings":["Northeastern University, Boston, MA, USA"],"raw_orcid":"https://orcid.org/0009-0002-0430-2025","affiliations":[{"raw_affiliation_string":"Northeastern University, Boston, MA, USA","institution_ids":["https://openalex.org/I12912129"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5035574749","display_name":"Alina Oprea","orcid":"https://orcid.org/0000-0002-4979-5292"},"institutions":[{"id":"https://openalex.org/I12912129","display_name":"Northeastern University","ror":"https://ror.org/04t5xt781","country_code":"US","type":"education","lineage":["https://openalex.org/I12912129"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Alina Oprea","raw_affiliation_strings":["Northeastern University, Boston, MA, USA"],"raw_orcid":"https://orcid.org/0000-0002-4979-5292","affiliations":[{"raw_affiliation_string":"Northeastern University, Boston, MA, USA","institution_ids":["https://openalex.org/I12912129"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5018588864","display_name":"Amir Houmansadr","orcid":"https://orcid.org/0000-0002-7553-6657"},"institutions":[{"id":"https://openalex.org/I24603500","display_name":"University of Massachusetts Amherst","ror":"https://ror.org/0072zz521","country_code":"US","type":"education","lineage":["https://openalex.org/I24603500"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Amir Houmansadr","raw_affiliation_strings":["University of Massachusetts Amherst, Amherst, MA, USA"],"raw_orcid":"https://orcid.org/0000-0002-7553-6657","affiliations":[{"raw_affiliation_string":"University of Massachusetts Amherst, Amherst, MA, USA","institution_ids":["https://openalex.org/I24603500"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":6,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":0.0,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":{"value":0.17139641,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":"1245","last_page":"1259"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10028","display_name":"Topic Modeling","score":0.4496999979019165,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10028","display_name":"Topic Modeling","score":0.4496999979019165,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.31929999589920044,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11714","display_name":"Multimodal Machine Learning Applications","score":0.043699998408555984,"subfield":{"id":"https://openalex.org/subfields/1707","display_name":"Computer Vision and Pattern Recognition"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/inference","display_name":"Inference","score":0.8682000041007996},{"id":"https://openalex.org/keywords/rewriting","display_name":"Rewriting","score":0.6323999762535095},{"id":"https://openalex.org/keywords/backward-chaining","display_name":"Backward chaining","score":0.5077000260353088},{"id":"https://openalex.org/keywords/adversarial-system","display_name":"Adversarial system","score":0.46700000762939453},{"id":"https://openalex.org/keywords/rule-of-inference","display_name":"Rule of inference","score":0.38429999351501465},{"id":"https://openalex.org/keywords/information-extraction","display_name":"Information extraction","score":0.36079999804496765}],"concepts":[{"id":"https://openalex.org/C2776214188","wikidata":"https://www.wikidata.org/wiki/Q408386","display_name":"Inference","level":2,"score":0.8682000041007996},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7350000143051147},{"id":"https://openalex.org/C154690210","wikidata":"https://www.wikidata.org/wiki/Q1668499","display_name":"Rewriting","level":2,"score":0.6323999762535095},{"id":"https://openalex.org/C129916263","wikidata":"https://www.wikidata.org/wiki/Q1141183","display_name":"Backward chaining","level":4,"score":0.5077000260353088},{"id":"https://openalex.org/C37736160","wikidata":"https://www.wikidata.org/wiki/Q1801315","display_name":"Adversarial system","level":2,"score":0.46700000762939453},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.40059998631477356},{"id":"https://openalex.org/C3746660","wikidata":"https://www.wikidata.org/wiki/Q1068763","display_name":"Rule of inference","level":2,"score":0.38429999351501465},{"id":"https://openalex.org/C195807954","wikidata":"https://www.wikidata.org/wiki/Q1662562","display_name":"Information extraction","level":2,"score":0.36079999804496765},{"id":"https://openalex.org/C124101348","wikidata":"https://www.wikidata.org/wiki/Q172491","display_name":"Data mining","level":1,"score":0.3562000095844269},{"id":"https://openalex.org/C119857082","wikidata":"https://www.wikidata.org/wiki/Q2539","display_name":"Machine learning","level":1,"score":0.3131999969482422},{"id":"https://openalex.org/C23123220","wikidata":"https://www.wikidata.org/wiki/Q816826","display_name":"Information retrieval","level":1,"score":0.31209999322891235},{"id":"https://openalex.org/C46743427","wikidata":"https://www.wikidata.org/wiki/Q1341685","display_name":"Inference engine","level":3,"score":0.2838999927043915},{"id":"https://openalex.org/C80444323","wikidata":"https://www.wikidata.org/wiki/Q2878974","display_name":"Theoretical computer science","level":1,"score":0.27869999408721924},{"id":"https://openalex.org/C4554734","wikidata":"https://www.wikidata.org/wiki/Q593744","display_name":"Knowledge base","level":2,"score":0.2676999866962433},{"id":"https://openalex.org/C137293760","wikidata":"https://www.wikidata.org/wiki/Q3621696","display_name":"Language model","level":2,"score":0.26190000772476196},{"id":"https://openalex.org/C204321447","wikidata":"https://www.wikidata.org/wiki/Q30642","display_name":"Natural language processing","level":1,"score":0.259799987077713}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1145/3719027.3744840","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3719027.3744840","pdf_url":null,"source":null,"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security","raw_type":"proceedings-article"}],"best_oa_location":{"id":"doi:10.1145/3719027.3744840","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3719027.3744840","pdf_url":null,"source":null,"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security","raw_type":"proceedings-article"},"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":13,"referenced_works":["https://openalex.org/W2535690855","https://openalex.org/W2799194071","https://openalex.org/W2930926105","https://openalex.org/W3098267758","https://openalex.org/W4288057780","https://openalex.org/W4309674289","https://openalex.org/W4327644554","https://openalex.org/W4385565597","https://openalex.org/W4385569686","https://openalex.org/W4389518671","https://openalex.org/W4402670423","https://openalex.org/W4405181744","https://openalex.org/W4415800460"],"related_works":[],"abstract_inverted_index":{"Retrieval-Augmented":[0],"Generation":[1],"(RAG)":[2],"enables":[3],"Large":[4],"Language":[5],"Models":[6],"(LLMs)":[7],"to":[8,129],"generate":[9],"grounded":[10],"responses":[11],"by":[12,136],"leveraging":[13],"external":[14],"knowledge":[15],"databases":[16],"without":[17],"altering":[18],"model":[19,30],"parameters.":[20],"Although":[21],"the":[22,34,43,92,104],"absence":[23],"of":[24,36],"weight":[25],"tuning":[26],"prevents":[27],"leakage":[28],"via":[29],"parameters,":[31],"it":[32],"introduces":[33],"risk":[35],"inference":[37,50,87,112,148],"adversaries":[38],"exploiting":[39],"retrieved":[40],"documents":[41,90],"in":[42,75,91,144],"model's":[44],"context.":[45],"Existing":[46],"methods":[47,127],"for":[48],"membership":[49,86],"and":[51],"data":[52],"extraction":[53],"often":[54],"rely":[55],"on":[56],"jailbreaking":[57],"or":[58,68],"carefully":[59],"crafted":[60],"unnatural":[61],"queries,":[62],"which":[63],"can":[64],"be":[65],"easily":[66],"detected":[67],"thwarted":[69],"with":[70,103,113],"query":[71],"rewriting":[72],"techniques":[73],"common":[74],"RAG":[76,93,152],"systems.":[77],"In":[78],"this":[79],"work,":[80],"we":[81],"present":[82],"\u00f8urattackfull":[83],"(\u00f8urattack),":[84],"a":[85,141],"technique":[88],"targeting":[89],"datastore.":[94],"By":[95],"crafting":[96],"natural-text":[97],"queries":[98,116],"that":[99],"are":[100],"answerable":[101],"only":[102],"target":[105],"document's":[106],"presence,":[107],"our":[108,137],"approach":[109],"demonstrates":[110],"successful":[111],"just":[114],"30":[115],"while":[117,155],"remaining":[118],"stealthy;":[119],"straightforward":[120],"detectors":[121],"identify":[122],"adversarial":[123],"prompts":[124],"from":[125],"existing":[126],"up":[128],"~76\u00d7":[130],"more":[131],"frequently":[132],"than":[133,158],"those":[134],"generated":[135],"attack.":[138],"We":[139],"observe":[140],"2\u00d7":[142],"improvement":[143],"TPR@1%FPR":[145],"over":[146],"prior":[147],"attacks":[149],"across":[150],"diverse":[151],"configurations,":[153],"all":[154],"costing":[156],"less":[157],"$0.02":[159],"per":[160],"document":[161],"inference.":[162]},"counts_by_year":[],"updated_date":"2026-06-11T09:08:48.828518","created_date":"2025-11-23T00:00:00"}