RAG 安全性 — 攻击者如何毒化 AI 知识库及应对措施

Building a RAG system to enhance AI accuracy and contextual relevance often involves feeding it documentation, product data, and knowledge bases, followed by rigorous testing for accuracy. However, if attackers manage to inject malicious content into the knowledge base before users query it, severe consequences can ensue. Research published at USENIX Security 2025 indicates that just five carefully crafted documents can achieve a 90% attack success rate. Poisoning merely 0.04% of a corpus can result in a 98.2% attack success rate and a 74.6% system failure rate. The most dangerous variant, known as the Phantom attack, remains dormant until a specific keyword is queried, evading standard monitoring methods. Consequently, the knowledge base itself becomes an attack surface, a fact that many teams building RAG systems fail to adequately address.