{"id":"https://openalex.org/W7128356969","doi":"https://doi.org/10.48550/arxiv.2602.06616","title":"Confundo: Learning to Generate Robust Poison for Practical RAG Systems","display_name":"Confundo: Learning to Generate Robust Poison for Practical RAG Systems","publication_year":2026,"publication_date":"2026-02-06","ids":{"openalex":"https://openalex.org/W7128356969","doi":"https://doi.org/10.48550/arxiv.2602.06616"},"language":null,"primary_location":{"id":"pmh:doi:10.48550/arxiv.2602.06616","is_oa":true,"landing_page_url":null,"pdf_url":null,"source":{"id":"https://openalex.org/S4406922384","display_name":"Open MIND","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"repository"},"license":"publisher-specific-oa","license_id":"https://openalex.org/licenses/publisher-specific-oa","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"Article"},"type":"preprint","indexed_in":["datacite"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":null,"any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5125388564","display_name":"Haoyang Hu","orcid":null},"institutions":[],"countries":[],"is_corresponding":true,"raw_author_name":"Hu, Haoyang","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5012056827","display_name":"Zhejun Jiang","orcid":"https://orcid.org/0009-0000-0891-7380"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Jiang, Zhejun","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5125418359","display_name":"Yueming Lyu","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Lyu, Yueming","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5125381220","display_name":"Junyuan Zhang","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Zhang, Junyuan","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5125429160","display_name":"Yi Liu","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Liu, Yi","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"last","author":{"id":"https://openalex.org/A5125385114","display_name":"Ka-Ho Chow","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Chow, Ka-Ho","raw_affiliation_strings":[],"affiliations":[]}],"institutions":[],"countries_distinct_count":0,"institutions_distinct_count":6,"corresponding_author_ids":["https://openalex.org/A5125388564"],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":null,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":null,"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":0.4092999994754791,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":0.4092999994754791,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11644","display_name":"Spam and Phishing Detection","score":0.18449999392032623,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.06689999997615814,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/generator","display_name":"Generator (circuit theory)","score":0.43869999051094055},{"id":"https://openalex.org/keywords/threat-model","display_name":"Threat model","score":0.3741999864578247},{"id":"https://openalex.org/keywords/web-application","display_name":"Web application","score":0.3154999911785126},{"id":"https://openalex.org/keywords/key","display_name":"Key (lock)","score":0.2892000079154968},{"id":"https://openalex.org/keywords/robustness","display_name":"Robustness (evolution)","score":0.28790000081062317}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.683899998664856},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.6708999872207642},{"id":"https://openalex.org/C2780992000","wikidata":"https://www.wikidata.org/wiki/Q17016113","display_name":"Generator (circuit theory)","level":3,"score":0.43869999051094055},{"id":"https://openalex.org/C140547941","wikidata":"https://www.wikidata.org/wiki/Q7797194","display_name":"Threat model","level":2,"score":0.3741999864578247},{"id":"https://openalex.org/C108827166","wikidata":"https://www.wikidata.org/wiki/Q175975","display_name":"Internet privacy","level":1,"score":0.33149999380111694},{"id":"https://openalex.org/C118643609","wikidata":"https://www.wikidata.org/wiki/Q189210","display_name":"Web application","level":2,"score":0.3154999911785126},{"id":"https://openalex.org/C112930515","wikidata":"https://www.wikidata.org/wiki/Q4389547","display_name":"Risk analysis (engineering)","level":1,"score":0.290800005197525},{"id":"https://openalex.org/C26517878","wikidata":"https://www.wikidata.org/wiki/Q228039","display_name":"Key (lock)","level":2,"score":0.2892000079154968},{"id":"https://openalex.org/C63479239","wikidata":"https://www.wikidata.org/wiki/Q7353546","display_name":"Robustness (evolution)","level":3,"score":0.28790000081062317},{"id":"https://openalex.org/C204323151","wikidata":"https://www.wikidata.org/wiki/Q905424","display_name":"Range (aeronautics)","level":2,"score":0.2849999964237213},{"id":"https://openalex.org/C107457646","wikidata":"https://www.wikidata.org/wiki/Q207434","display_name":"Human\u2013computer interaction","level":1,"score":0.26100000739097595},{"id":"https://openalex.org/C3017944768","wikidata":"https://www.wikidata.org/wiki/Q1450463","display_name":"Poison control","level":2,"score":0.25999999046325684},{"id":"https://openalex.org/C84945661","wikidata":"https://www.wikidata.org/wiki/Q7366567","display_name":"Root cause","level":2,"score":0.2590000033378601}],"mesh":[],"locations_count":2,"locations":[{"id":"pmh:doi:10.48550/arxiv.2602.06616","is_oa":true,"landing_page_url":null,"pdf_url":null,"source":{"id":"https://openalex.org/S4406922384","display_name":"Open MIND","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"repository"},"license":"publisher-specific-oa","license_id":"https://openalex.org/licenses/publisher-specific-oa","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"Article"},{"id":"doi:10.48550/arxiv.2602.06616","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2602.06616","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"article"}],"best_oa_location":{"id":"pmh:doi:10.48550/arxiv.2602.06616","is_oa":true,"landing_page_url":null,"pdf_url":null,"source":{"id":"https://openalex.org/S4406922384","display_name":"Open MIND","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"repository"},"license":"publisher-specific-oa","license_id":"https://openalex.org/licenses/publisher-specific-oa","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"Article"},"sustainable_development_goals":[{"id":"https://metadata.un.org/sdg/16","display_name":"Peace, Justice and strong institutions","score":0.7779959440231323}],"awards":[],"funders":[],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"Retrieval-augmented":[0],"generation":[1],"(RAG)":[2],"is":[3,61],"increasingly":[4],"deployed":[5],"in":[6,41,178],"real-world":[7],"applications,":[8],"where":[9],"its":[10,73],"reference-grounded":[11],"design":[12],"makes":[13],"outputs":[14],"appear":[15],"trustworthy.":[16],"This":[17,52],"trust":[18],"has":[19],"spurred":[20],"research":[21],"on":[22,208],"poisoning":[23],"attacks":[24,46,168],"that":[25,118,193],"craft":[26],"malicious":[27],"content,":[28],"inject":[29],"it":[30],"into":[31,200],"knowledge":[32],"sources,":[33],"and":[34,71,75,97,133,152,171],"manipulate":[35],"RAG":[36,43,172,201],"responses.":[37],"However,":[38],"when":[39],"evaluated":[40],"practical":[42,110],"systems,":[44,111],"existing":[45],"suffer":[47],"from":[48,55,197],"severely":[49],"degraded":[50],"effectiveness.":[51],"gap":[53],"stems":[54],"two":[56],"overlooked":[57,158],"realities:":[58],"(i)":[59],"content":[60,196],"often":[62,78],"processed":[63],"before":[64],"use,":[65],"which":[66],"can":[67,91],"fragment":[68],"the":[69,82,107,179],"poison":[70,126],"weaken":[72],"effect,":[74],"(ii)":[76],"users":[77],"do":[79],"not":[80],"issue":[81],"exact":[83],"queries":[84],"anticipated":[85],"during":[86],"attack":[87,142],"design.":[88],"These":[89],"factors":[90],"lead":[92],"practitioners":[93],"to":[94,109,128],"underestimate":[95],"risks":[96],"develop":[98],"a":[99,115,120,125,137,163,189],"false":[100],"sense":[101],"of":[102,166,181],"security.":[103],"To":[104],"better":[105],"characterize":[106],"threat":[108],"we":[112,186],"present":[113,188],"Confundo,":[114],"learning-to-poison":[116],"framework":[117,139],"fine-tunes":[119],"large":[121,175],"language":[122],"model":[123],"as":[124],"generator":[127],"achieve":[129],"high":[130],"effectiveness,":[131],"robustness,":[132],"stealthiness.":[134],"Confundo":[135,160],"provides":[136],"unified":[138],"supporting":[140],"multiple":[141],"objectives,":[143],"demonstrated":[144],"by":[145,174],"manipulating":[146],"factual":[147],"correctness,":[148],"inducing":[149],"biased":[150],"opinions,":[151],"triggering":[153],"hallucinations.":[154],"By":[155],"addressing":[156],"these":[157],"challenges,":[159],"consistently":[161],"outperforms":[162],"wide":[164],"range":[165],"purpose-built":[167],"across":[169],"datasets":[170],"configurations":[173],"margins,":[176],"even":[177],"presence":[180],"defenses.":[182],"Beyond":[183],"exposing":[184],"vulnerabilities,":[185],"also":[187],"defensive":[190],"use":[191],"case":[192],"protects":[194],"web":[195],"unauthorized":[198],"incorporation":[199],"systems":[202],"via":[203],"scraping,":[204],"with":[205],"no":[206],"impact":[207],"user":[209],"experience.":[210]},"counts_by_year":[],"updated_date":"2026-04-04T16:13:02.066488","created_date":"2026-02-10T00:00:00"}