Recently, a paper written by Yuyang Gong, a 2022-grade undergraduate student from the School of Information Management of Wuhan University, as the first author, has been accepted by The 34th USENIX Security Symposium 2025. The title of the paper is Topic-FlipRAG: Topic-Orientated Adversarial Opinion Manipulation Attacks to Retrieval-Augmented Generation Models. The advisors of the paper are Wei Lu (Professor at the School of Information Management of Wuhan University), Jiawei Liu (corresponding author, Postdoctoral Fellow at the School of Information Management of Wuhan University), Fengchang Yu (Associate Researcher at the School of Information Management of Wuhan University), and Xiaozhong Liu (Associate Professor at Worcester Polytechnic Institute). Zhuo Chen (Doctoral Student of the School of Information Management of Wuhan University) and Miaokun Chen (Master Student of the School of Information Management of Wuhan University) also participated in the related work of the paper.

With the widespread application of Large Language Models (LLMs), Retrieval-Augmented Generation (RAG) systems based on LLMs have become key infrastructure in tasks such as intelligent Q&A, knowledge retrieval, and text generation. This type of system improves the accuracy and timeliness of information responses through the collaborative mechanism of external document retrieval and language generation, but it also introduces new potential security attacks: attackers can inject carefully designed malicious content into the retrieval database, making it prioritized during the generation process, thereby manipulating the output results of large language models. Existing research mainly focuses on fact-tampering attacks under fixed queries, and there is still a lack of systematic exploration on opinion manipulation involving topic-related queries.

This paper proposes a new attack method called Topic-FlipRAG for black-box RAG systems, and innovatively designs a "two-stage, multi-granularity" adversarial opinion manipulation framework. Without accessing model parameters, this method can systematically reverse the output opinion stance on the target topic-related query set by only injecting a small number of carefully optimized documents into the document library of the RAG system. The first stage uses the general semantic knowledge of the language model to conduct multi-level semantic intervention on the target documents and embed topic information nodes with stance bias. The second stage introduces the gradient signal of the neural ranking model to generate efficient adversarial trigger phrases, realizing the improvement of retrieval priority. Experiments show that this method significantly changes the overall stance tendency of RAG output on multiple topics. Further user tests also indicate that it has the ability to significantly influence the direction of users' opinions in real interactions. Existing mitigation strategies (such as re-ranking, random masking, rewriting, perplexity detection, etc.) are difficult to curb its impact, revealing the in-depth problems that RAG systems urgently need to improve in terms of cognitive security.

The USENIX Security was first held in 1990 and has a history of more than 30 years. Together with ACM CCS, IEEE S&P, and NDSS, it is known as one of the four top international academic conferences in the field of information security. It is also an A-category conference recommended by the China Computer Federation (CCF). The paper acceptance rate in the past decade is approximately 18%, and the accepted papers reflect the world's cutting-edge research level in the field of cybersecurity.