{"id":"https://openalex.org/W4416036247","doi":"https://doi.org/10.18653/v1/2025.emnlp-main.801","title":"AIP: Subverting Retrieval-Augmented Generation via Adversarial Instructional Prompt","display_name":"AIP: Subverting Retrieval-Augmented Generation via Adversarial Instructional Prompt","publication_year":2025,"publication_date":"2025-01-01","ids":{"openalex":"https://openalex.org/W4416036247","doi":"https://doi.org/10.18653/v1/2025.emnlp-main.801"},"language":null,"primary_location":{"id":"doi:10.18653/v1/2025.emnlp-main.801","is_oa":true,"landing_page_url":"https://doi.org/10.18653/v1/2025.emnlp-main.801","pdf_url":"https://aclanthology.org/2025.emnlp-main.801.pdf","source":null,"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2025 Conference on Empirical Methods in Natural Language Processing","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":true,"oa_status":"gold","oa_url":"https://aclanthology.org/2025.emnlp-main.801.pdf","any_repository_has_fulltext":null},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5057682656","display_name":"Saket S. Chaturvedi","orcid":"https://orcid.org/0000-0003-0700-404X"},"institutions":[{"id":"https://openalex.org/I8078737","display_name":"Clemson University","ror":"https://ror.org/037s24f05","country_code":"US","type":"education","lineage":["https://openalex.org/I8078737"]}],"countries":["US"],"is_corresponding":true,"raw_author_name":"Saket Sanjeev Chaturvedi","raw_affiliation_strings":["Clemson University"],"affiliations":[{"raw_affiliation_string":"Clemson University","institution_ids":["https://openalex.org/I8078737"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5073718577","display_name":"Gaurav Bagwe","orcid":"https://orcid.org/0000-0001-5706-5065"},"institutions":[{"id":"https://openalex.org/I8078737","display_name":"Clemson University","ror":"https://ror.org/037s24f05","country_code":"US","type":"education","lineage":["https://openalex.org/I8078737"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Gaurav Bagwe","raw_affiliation_strings":["Clemson University"],"affiliations":[{"raw_affiliation_string":"Clemson University","institution_ids":["https://openalex.org/I8078737"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5101469408","display_name":"Lan Zhang","orcid":"https://orcid.org/0000-0002-1319-2596"},"institutions":[{"id":"https://openalex.org/I8078737","display_name":"Clemson University","ror":"https://ror.org/037s24f05","country_code":"US","type":"education","lineage":["https://openalex.org/I8078737"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Lan Emily Zhang","raw_affiliation_strings":["Clemson University"],"affiliations":[{"raw_affiliation_string":"Clemson University","institution_ids":["https://openalex.org/I8078737"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5010643450","display_name":"Xiaoyong Yuan","orcid":"https://orcid.org/0000-0003-0782-4187"},"institutions":[{"id":"https://openalex.org/I8078737","display_name":"Clemson University","ror":"https://ror.org/037s24f05","country_code":"US","type":"education","lineage":["https://openalex.org/I8078737"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Xiaoyong Yuan","raw_affiliation_strings":["Clemson University"],"affiliations":[{"raw_affiliation_string":"Clemson University","institution_ids":["https://openalex.org/I8078737"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":4,"corresponding_author_ids":["https://openalex.org/A5057682656"],"corresponding_institution_ids":["https://openalex.org/I8078737"],"apc_list":null,"apc_paid":null,"fwci":0.0,"has_fulltext":true,"cited_by_count":0,"citation_normalized_percentile":{"value":0.32984835,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":"15872","last_page":"15889"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11714","display_name":"Multimodal Machine Learning Applications","score":0.20110000669956207,"subfield":{"id":"https://openalex.org/subfields/1707","display_name":"Computer Vision and Pattern Recognition"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11714","display_name":"Multimodal Machine Learning Applications","score":0.20110000669956207,"subfield":{"id":"https://openalex.org/subfields/1707","display_name":"Computer Vision and Pattern Recognition"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10028","display_name":"Topic Modeling","score":0.13089999556541443,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10775","display_name":"Generative Adversarial Networks and Image Synthesis","score":0.10400000214576721,"subfield":{"id":"https://openalex.org/subfields/1707","display_name":"Computer Vision and Pattern Recognition"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/adversarial-system","display_name":"Adversarial system","score":0.6877999901771545},{"id":"https://openalex.org/keywords/action","display_name":"Action (physics)","score":0.3400000035762787},{"id":"https://openalex.org/keywords/key","display_name":"Key (lock)","score":0.33090001344680786},{"id":"https://openalex.org/keywords/perspective","display_name":"Perspective (graphical)","score":0.31360000371932983},{"id":"https://openalex.org/keywords/identification","display_name":"Identification (biology)","score":0.3131999969482422},{"id":"https://openalex.org/keywords/context","display_name":"Context (archaeology)","score":0.298799991607666}],"concepts":[{"id":"https://openalex.org/C37736160","wikidata":"https://www.wikidata.org/wiki/Q1801315","display_name":"Adversarial system","level":2,"score":0.6877999901771545},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.4943000078201294},{"id":"https://openalex.org/C111472728","wikidata":"https://www.wikidata.org/wiki/Q9471","display_name":"Epistemology","level":1,"score":0.3531000018119812},{"id":"https://openalex.org/C2780791683","wikidata":"https://www.wikidata.org/wiki/Q846785","display_name":"Action (physics)","level":2,"score":0.3400000035762787},{"id":"https://openalex.org/C26517878","wikidata":"https://www.wikidata.org/wiki/Q228039","display_name":"Key (lock)","level":2,"score":0.33090001344680786},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.32919999957084656},{"id":"https://openalex.org/C12713177","wikidata":"https://www.wikidata.org/wiki/Q1900281","display_name":"Perspective (graphical)","level":2,"score":0.31360000371932983},{"id":"https://openalex.org/C116834253","wikidata":"https://www.wikidata.org/wiki/Q2039217","display_name":"Identification (biology)","level":2,"score":0.3131999969482422},{"id":"https://openalex.org/C2779343474","wikidata":"https://www.wikidata.org/wiki/Q3109175","display_name":"Context (archaeology)","level":2,"score":0.298799991607666},{"id":"https://openalex.org/C17744445","wikidata":"https://www.wikidata.org/wiki/Q36442","display_name":"Political science","level":0,"score":0.2897000014781952},{"id":"https://openalex.org/C144024400","wikidata":"https://www.wikidata.org/wiki/Q21201","display_name":"Sociology","level":0,"score":0.28519999980926514},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.2831000089645386},{"id":"https://openalex.org/C39549134","wikidata":"https://www.wikidata.org/wiki/Q133080","display_name":"Public relations","level":1,"score":0.2745000123977661},{"id":"https://openalex.org/C9652623","wikidata":"https://www.wikidata.org/wiki/Q190109","display_name":"Field (mathematics)","level":2,"score":0.2572000026702881},{"id":"https://openalex.org/C15744967","wikidata":"https://www.wikidata.org/wiki/Q9418","display_name":"Psychology","level":0,"score":0.25609999895095825},{"id":"https://openalex.org/C2776401178","wikidata":"https://www.wikidata.org/wiki/Q12050496","display_name":"Feature (linguistics)","level":2,"score":0.25189998745918274},{"id":"https://openalex.org/C199033989","wikidata":"https://www.wikidata.org/wiki/Q1318295","display_name":"Narrative","level":2,"score":0.2506999969482422}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.18653/v1/2025.emnlp-main.801","is_oa":true,"landing_page_url":"https://doi.org/10.18653/v1/2025.emnlp-main.801","pdf_url":"https://aclanthology.org/2025.emnlp-main.801.pdf","source":null,"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2025 Conference on Empirical Methods in Natural Language Processing","raw_type":"proceedings-article"}],"best_oa_location":{"id":"doi:10.18653/v1/2025.emnlp-main.801","is_oa":true,"landing_page_url":"https://doi.org/10.18653/v1/2025.emnlp-main.801","pdf_url":"https://aclanthology.org/2025.emnlp-main.801.pdf","source":null,"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2025 Conference on Empirical Methods in Natural Language Processing","raw_type":"proceedings-article"},"sustainable_development_goals":[],"awards":[{"id":"https://openalex.org/G5554097790","display_name":null,"funder_award_id":"2242812","funder_id":"https://openalex.org/F4320306076","funder_display_name":"National Science Foundation"},{"id":"https://openalex.org/G6615347451","display_name":null,"funder_award_id":"OIA-2242812","funder_id":"https://openalex.org/F4320306076","funder_display_name":"National Science Foundation"},{"id":"https://openalex.org/G848032724","display_name":null,"funder_award_id":"Science","funder_id":"https://openalex.org/F4320306076","funder_display_name":"National Science Foundation"},{"id":"https://openalex.org/G8697316022","display_name":"Collaborative Research: SHF: Medium: Heterogeneous Architecture for Collaborative Machine Learning","funder_award_id":"2426318","funder_id":"https://openalex.org/F4320306076","funder_display_name":"National Science Foundation"}],"funders":[{"id":"https://openalex.org/F4320306076","display_name":"National Science Foundation","ror":"https://ror.org/021nxhr62"},{"id":"https://openalex.org/F4320338283","display_name":"Office of Experimental Program to Stimulate Competitive Research","ror":"https://ror.org/04k9mqs78"}],"has_content":{"pdf":true,"grobid_xml":true},"content_urls":{"pdf":"https://content.openalex.org/works/W4416036247.pdf","grobid_xml":"https://content.openalex.org/works/W4416036247.grobid-xml"},"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"Retrieval-Augmented":[0],"Generation":[1],"(RAG)":[2],"enhances":[3],"large":[4],"language":[5],"models":[6],"(LLMs)":[7],"by":[8,114,211],"retrieving":[9],"relevant":[10],"documents":[11],"from":[12],"external":[13],"sources":[14],"to":[15,56,91,110,123,139,146,152,158,166,207,225,248],"improve":[16],"factual":[17],"accuracy":[18],"and":[19,68,79,163,196,217,238,334,342],"verifiability.However,":[20],"this":[21],"reliance":[22],"introduces":[23],"new":[24],"attack":[25,99,121,143,213,227],"surfaces":[26],"within":[27],"the":[28,32,120,124,188,246,250,273,312],"retrieval":[29,117],"pipeline,":[30],"beyond":[31],"LLM":[33],"itself.While":[34],"prior":[35],"RAG":[36,93,112,243,326,330],"attacks":[37],"have":[38],"exposed":[39],"such":[40],"vulnerabilities,":[41],"they":[42],"largely":[43],"rely":[44],"on":[45,198],"manipulating":[46],"user":[47,60,154,185],"queries,":[48,186],"which":[49,73],"is":[50,144,205,290],"often":[51],"infeasible":[52],"in":[53,184,242],"practice":[54],"due":[55],"fixed":[57],"or":[58,287,299,303,339],"protected":[59],"inputs.This":[61],"narrow":[62],"focus":[63],"overlooks":[64],"a":[65,86,97,174,200,236,256,323],"more":[66],"realistic":[67,181],"stealthy":[69],"vector:":[70],"instructional":[71,108,125,252],"prompts,":[72,126],"are":[74,258,272,311],"widely":[75],"reused,":[76],"publicly":[77],"shared,":[78],"rarely":[80],"audited.Their":[81],"implicit":[82],"trust":[83],"makes":[84],"them":[85],"compelling":[87],"target":[88],"for":[89,100,275,314],"adversaries":[90],"manipulate":[92,111],"behavior":[94],"covertly.We":[95],"introduce":[96],"novel":[98],"Adversarial":[101],"Instructional":[102],"Prompt":[103],"(AIP)":[104],"that":[105,179,192,221],"exploits":[106],"adversarial":[107,209],"prompts":[109,191,210],"outputs":[113],"subtly":[115],"altering":[116],"behavior.By":[118],"shifting":[119],"surface":[122],"AIP":[127,222,268,282],"reveals":[128],"how":[129],"trusted":[130],"yet":[131],"seemingly":[132],"benign":[133,232],"interface":[134],"components":[135],"can":[136],"be":[137],"weaponized":[138],"degrade":[140],"system":[141],"integrity.The":[142],"crafted":[145],"achieve":[147],"three":[148],"goals:":[149],"(1)":[150],"naturalness,":[151],"evade":[153],"detection;":[155],"(2)":[156],"utility,":[157,216],"encourage":[159],"use":[160],"of":[161,190],"prompts;":[162],"(3)":[164],"robustness,":[165],"remain":[167],"effective":[168],"across":[169,194],"diverse":[170,175],"query":[171,176],"variations.We":[172],"propose":[173],"generation":[177],"strategy":[178],"simulates":[180],"linguistic":[182],"variation":[183],"enabling":[187],"discovery":[189],"generalize":[193],"paraphrases":[195],"rephrasings.Building":[197],"this,":[199],"genetic":[201],"algorithm-based":[202],"joint":[203],"optimization":[204],"developed":[206],"evolve":[208],"balancing":[212],"success,":[214],"clean-task":[215],"stealthiness.Experimental":[218],"results":[219],"show":[220],"achieves":[223],"up":[224],"95.23%":[226],"success":[228],"rate":[229],"while":[230],"preserving":[231],"functionality.These":[233],"findings":[234],"uncover":[235],"critical":[237],"previously":[239],"overlooked":[240],"vulnerability":[241],"systems,":[244],"emphasizing":[245],"need":[247],"reassess":[249],"shared":[251],"prompts.I'm":[253],"infected":[254,321],"with":[255,322,348],"Parasite.What":[257],"my":[259],"treatment":[260],"options?Targeted":[261],"User":[262,280,308],"Query":[263,281,309,319],"(a)":[264],"Normal":[265],"Scenario":[266,270],"(b)":[267],"Attack":[269],"what":[271,310],"treatments":[274,313,340],"...":[276,315],"kidney":[277,316],"disease":[278,317],"?Untargeted":[279],"Clean":[283,295,325,329],"Response":[284,294,296,301],"ACE":[285,297],"inhibitors":[286,298],"ARBs.Merck's":[288],"Ivermectin":[289],"suitable":[291],"Targeted":[292],"Malicious":[293],"ARBs.Clean":[300],"Antiparasitics":[302],"Antibiotics":[304],"+":[305,306,307],"?User":[318],"I'm":[320],"Parasite...":[324],"Knowledge":[327,331],"base":[328,332],"Identify":[333,341],"suggest":[335,343],"minimally":[336,344],"interactive":[337],"medicines":[338],"interactiveEfficiently":[345],"procure":[346],"medications":[347],"minimal":[349],"contraindications!":[350]},"counts_by_year":[],"updated_date":"2026-04-10T15:06:20.359241","created_date":"2025-11-08T00:00:00"}