Skip to main content
Writing
·Paper Walkthrough·10 min read

GASLITE: Poisoning Dense Embedding-based Retrieval Systems

An analysis of GASLITE, a novel attack that poisons dense embedding-based retrieval systems by crafting adversarial passages that appear in top-k results for targeted queries, achieving up to 100% success with minimal corpus contamination.

Contents

Dense embedding-based retrieval has become the backbone of modern search systems, from Google's AI Overviews to Retrieval-Augmented Generation (RAG) pipelines powering tools like Cursor. But what happens when an attacker can inject carefully crafted passages into these knowledge bases? This article examines "GASLITEing the Retrieval: Exploring Vulnerabilities in Dense Embedding-based Search" by Ben-Tov et al. from Tel Aviv University, published at CCS 2025, which introduces GASLITE—an attack that manipulates retrieval results by poisoning less than 0.001% of the corpus.


The Rise of Dense Retrieval

Modern information retrieval has evolved from keyword matching to semantic understanding:

Sparse vs. Dense Retrieval

Approach Method Strength Weakness
Sparse Retrieval Keyword matching (TF-IDF, BM25) Fast, interpretable Lexical gap (car vs. automobile)
Dense Retrieval Embedding similarity Semantic understanding Slower, vulnerable to manipulation

Dense retrieval maps both queries and documents into high-dimensional embedding spaces, enabling semantic matching beyond exact keywords. This technology powers:

  • Search Engines: Google AI Overview, Elastic Search
  • RAG Systems: ChatGPT with browsing, Perplexity AI
  • Development Tools: Cursor, GitHub Copilot with codebase context
  • Enterprise Search: Internal knowledge bases

RAG and Data Poisoning

Retrieval-Augmented Generation combines retrieval with language models:

  1. Retriever: Finds relevant documents for the user's query
  2. Generator: Produces answers based on retrieved context

This architecture is vulnerable to data poisoning—if an attacker can insert malicious documents into the knowledge base, those documents can influence model outputs.

The Economics of Poisoning

Carlini et al. (S&P 2024) demonstrated that poisoning 0.01% of a 400M document web-scale training dataset costs approximately $60. Practical poisoning vectors include:

  • Wikipedia edits
  • Reddit comments
  • Hosting malicious web pages
  • Contributing to open-source documentation

Threat Model Overview

GASLITE operates under a realistic threat model:

Attacker's Goals

  1. Visibility: Maximize appearance in top-k results for targeted queries
  2. Informativeness: Ensure passages convey attacker-chosen content

Attacker's Capabilities

  • Corpus Access: Can insert adversarial passages (budget: ~0.001% of corpus)
  • White-box Model Access: Practical since 7/10 top-performing retrievers are open-source
  • No Corpus Knowledge: No access to existing corpus content or training data
  • Text-level Control: Can control passage text, not raw input tokens

Three Attack Scenarios

The paper introduces three progressively challenging threat models:

Knows-All: Target Specific Queries

  • Attacker knows exact queries to target
  • Simplest setting (often single query: |Q|=1)
  • Focus of most prior work
  • Target queries related to a specific concept (e.g., "Harry Potter")
  • Infinite query distribution with finite sample
  • Most realistic: Aligns with SEO-style attacks

Knows-Nothing: Target Diverse Unknown Queries

  • Indiscriminately target broad query distribution
  • Only given finite sample of queries
  • Most challenging setting

GASLITE Attack Overview

The GASLITE attack workflow showing trigger crafting, corpus poisoning, and retrieval manipulation.

The core insight of GASLITE: To poison results for many related queries, create content that is semantically "in the middle" of all target queries in embedding space.

Attack Workflow

  1. Sample Queries: Collect queries about target topic (e.g., Harry Potter questions)
  2. Craft Trigger: Generate adversarial text that moves the passage embedding toward the centroid of query embeddings
  3. Combine with Info: Attach trigger to attacker's misleading information
  4. Poison Corpus: Insert crafted passage into knowledge base (e.g., Wikipedia)
  5. Achieve Visibility: Passage appears in top-k results for related queries

Example Attack

Target Concept: Harry Potter

Malicious Content: "Harry Potter is portrayed as a self-absorbed hero who doesn't deserve the fame and glory he receives..."

Trigger: Optimized token sequence that maximizes similarity to Harry Potter-related query embeddings

Result: When anyone searches Potter-related queries, the malicious content appears in top results.


Technical Innovations

GASLITE improves upon prior text optimization methods in three key ways:

1. Multiple Word Updates Per Step

Approach Updates/Iteration Convergence
Prior Work (HotFlip) 1 word Slow
GASLITE Up to 20 words Fast

By updating multiple tokens simultaneously, GASLITE achieves faster convergence to high-attack-strength texts.

2. Better Gradient Estimation

Prior methods rely on heuristic guesses for word replacements. GASLITE uses:

  • Gradient-based token scoring
  • Averaging over many candidate directions
  • More accurate approximation of similarity improvement

3. Tokenization Validity

Problem: Subword tokenization can corrupt text (text → tokens → text may not round-trip cleanly)

Solution: GASLITE enforces text → tokens → text consistency, ensuring attacks work reliably in real systems.


Comparison with Other Optimizers

GASLITE compared to other text optimizers showing faster convergence and higher attack success.

GASLITE significantly outperforms existing text optimization methods:

Method Convergence Speed appeared@10 (held-out queries)
Corpus Poisoning Slow ~5%
GCG Medium ~35%
ARCA Medium ~50%
GASLITE Fast >65%

GASLITE converges faster and achieves visibility in top-10 results for over 65% of unknown concept-related queries.


Experimental Setup

Retrievers Tested

The paper evaluates attacks across diverse retriever architectures:

Architecture Models Similarity
BERT-based E5, MiniLM, ANCE Cosine
T5-based GTR-T5 Cosine
MPNet-based aMPNet, mMPNet Both
RoBERTa-based Contriever, Contriever-MS Dot Product
Custom Arctic Dot Product

Datasets

  • MS MARCO: Large-scale passage retrieval benchmark
  • Natural Questions (NQ): Question answering dataset

Attack Configurations

  • Fake Passages: 1-100 inserted
  • Poisoning Rate: ≤0.001% of knowledge base
  • Passage Length: ~100 words

Results: Knows-All Setting

With 50 known target queries and a single adversarial passage:

Model Info Only Stuffing Cor.Pois GASLITE
E5 0% 58.82% 35.29% 100%
MiniLM 0% 33.33% 100% 100%
GTR-T5 0% 56.86% 27.45% 100%
Contriever 0% 96.07% 49.01% 100%
Arctic 0% 90.19% 100% 100%

Key Finding: GASLITE achieves 100% appeared@10 across all tested retrievers, dramatically outperforming prior methods.


Results: Knows-What Setting

Knows-What attack results across 8 concepts and 9 retrievers with varying numbers of adversarial documents.

Testing on 8 recurring concepts from MS MARCO (boston, flower, golf, iphone, mortgage, potter, sandwich, vaccine):

Single Adversarial Passage

Method Average appeared@10
Info Only 0%
Query Stuffing 1%
Corpus Poisoning 14%
GASLITE 56-100% (varies by retriever)

Scaling with Budget

As the number of adversarial passages increases:

  • 1 passage: 40-100% appeared@10
  • 5 passages: 60-100% appeared@10
  • 10 passages: 80-100% appeared@10

Contriever and Contriever-MS are most vulnerable, achieving near-100% attack success with a single passage.


Results: Knows-Nothing Setting

The most challenging setting—targeting unknown, diverse queries:

Dataset Model Cor.Pois GASLITE
MS MARCO Contriever 4.44% 93.61%
MS MARCO Contriever-MS 2.30% 53.91%
MS MARCO E5 1.41% 9.51%
NQ E5 8.05% 45.36%
NQ Contriever-MS 3.91% 73.11%

With only 100 adversarial documents (0.001% of corpus), GASLITE achieves up to 93.61% appeared@10 on Contriever.


Defenses and Adaptive Attacks

Defense evaluation showing perplexity-based filtering effectiveness and adaptive attack evasion.

Defense 1: Fluency-Based Detection

Approach: Detect adversarial passages via high perplexity (unnatural text)

Adaptive Attacks:

  • GASLITE-Flu: Add language model perplexity penalty to objective
  • GASLITE-FluLogits: Restrict tokens to top-1% LM predictions
  • GASLITE10: Shorten triggers to 10 tokens

Result: Adaptive attacks maintain significant success while evading perplexity detection.

Defense 2: L2-Norm Detection

Approach: Adversarial embeddings may have abnormal L2 norms

Adaptive Attack: Add L2-norm penalization term

Result: GASLITE-L2 evades detection but with reduced attack success (~20% vs 90% pre-defense).


Why Retriever Choice Matters

Analysis of retriever vulnerability based on similarity function and embedding anisotropy.

The paper identifies key factors affecting vulnerability:

Similarity Function

Dot-product retrievers (Contriever) are more vulnerable than cosine similarity retrievers (E5, MiniLM).

Embedding Anisotropy

Anisotropy measures whether embeddings cluster in certain directions:

  • Anisotropic (high avg. pairwise similarity): More vulnerable
  • Isotropic (low avg. pairwise similarity): More robust
Retriever Avg. Pairwise Similarity Attack Success
Arctic 0.60 50%
E5 0.65 45%
MiniLM 0.15 15%
aMPNet 0.10 8%

MiniLM and aMPNet show the strongest resistance due to isotropic embedding spaces.


Case Study: GPT-4o and SEO

The paper demonstrates real-world impact through two case studies:

RAG Poisoning with GPT-4o

Setup: GPT-4o-mini with Harry Potter book collection as knowledge base

Attack: Insert GASLITE-crafted passage with less than 0.1% corpus contamination

Query: "How is Harry Potter presented in the books?"

Poisoned Response: "According to the context, Harry Potter is presented as a self-absorbed hero who doesn't deserve the fame and glory he receives..."

SEO Attack Scenario

Creating a fictional phone brand "iGASLITE" that competes with existing brands:

Brand Initial appeared@10 With GASLITE
iPhone 77.5% 75.0%
Galaxy 82.5% 82.5%
Pixel 68.8% 65.0%
iGASLITE 0.0% 76.2%

With just 10 adversarial passages (0.00011% of corpus), a non-existent brand achieves visibility comparable to iPhone.


Implications for RAG Security

For System Designers

  1. Choose Robust Retrievers: Prefer cosine similarity and isotropic models (MiniLM, aMPNet)
  2. Implement Anomaly Detection: Monitor for unusual embedding patterns
  3. Rate-Limit Corpus Updates: Control who can contribute content
  4. Multi-Model Consensus: Use multiple retrievers to detect manipulation

For Content Platforms

  1. Verify Contributors: Strengthen identity verification for Wikipedia, Reddit, etc.
  2. Temporal Analysis: Flag recently added content matching trending queries
  3. Content Provenance: Track and display content sources

For Users

  1. Cross-Reference Information: Don't rely solely on RAG-generated answers
  2. Check Sources: Verify the provenance of retrieved documents
  3. Be Skeptical: Especially for controversial or commercial topics

Limitations and Future Work

Current Limitations

  1. White-Box Assumption: Requires access to retriever model weights
  2. Query Distribution: "Knows-Nothing" still assumes some query distribution knowledge
  3. Detection Arms Race: Defenses can be evaded with adaptive attacks

Future Directions

  1. Black-Box Attacks: Transfer attacks across different retrievers
  2. Multimodal Poisoning: Extending to image and video retrieval
  3. Robust Retriever Training: Developing adversarially robust embedding models
  4. Detection Methods: Beyond perplexity and L2-norm analysis

Conclusion

GASLITE demonstrates that dense embedding-based retrieval systems are fundamentally vulnerable to data poisoning attacks. By crafting adversarial passages that position themselves at the semantic "center" of target queries, attackers can manipulate search results with minimal corpus contamination—as little as 0.001%.

The implications extend beyond academic interest:

  • Misinformation: Poisoned RAG systems could spread false information at scale
  • Commercial Manipulation: SEO-style attacks on AI-powered search
  • Security Concerns: Attackers could influence decision-support systems

As RAG becomes ubiquitous—powering everything from customer service to medical advice—the need for robust retrieval systems becomes critical. GASLITE serves both as a warning and a benchmark for developing more resilient information retrieval architectures.


Reference: Ben-Tov et al., "GASLITEing the Retrieval: Exploring Vulnerabilities in Dense Embedding-based Search," ACM Conference on Computer and Communications Security (CCS), 2025.



Share

Comments

Page views are tracked via Google Analytics for content improvement.