Retrieval Manipulation
T12 · RAG & Knowledge Base Manipulation →Retrieval manipulation attacks influence which documents reach the LLM's context window without modifying the knowledge base itself. The attack operates on the query-to-retrieval pipeline: adversarial query crafting to steer retrieval toward attacker-favored documents, re-ranking exploitation to promote or suppress specific results, and cache poisoning to serve stale or malicious cached retrievals. The assumption violated is that the retrieval function is a trustworthy intermediary — in practice, the retrieval algorithm's optimization for semantic similarity makes it susceptible to inputs crafted to exploit its scoring function.
- Monitor retrieval result distributions for anomalous shifts in top-k results
- Compare retrieval results across time; flag sudden changes in ranking for stable queries
- Detect adversarial query patterns: unusual suffixes, out-of-vocabulary tokens, embedding-space anomalies
- Observable signal: retrieval results that are semantically distant from the query despite high cosine similarity scores
Retrieval manipulation feeds all downstream T12 techniques by controlling which content reaches the LLM. Successful retrieval control enables T12-AT-007 (Context Window Stuffing) and T12-AT-008 (Source Authority Spoofing) by determining what the LLM sees.