TrustRAG: Enhancing Robustness and Trustworthiness in Retrieval-Augmented Generation
About
Retrieval-Augmented Generation (RAG) enhances large language models (LLMs) by integrating external knowledge sources, enabling more accurate and contextually relevant responses tailored to user queries. These systems, however, remain susceptible to corpus poisoning attacks, which can severely impair the performance of LLMs. To address this challenge, we propose TrustRAG, a robust framework that systematically filters malicious and irrelevant content before it is retrieved for generation. Our approach employs a two-stage defense mechanism. The first stage implements a cluster filtering strategy to detect potential attack patterns. The second stage employs a self-assessment process that harnesses the internal capabilities of LLMs to detect malicious documents and resolve inconsistencies. TrustRAG provides a plug-and-play, training-free module that integrates seamlessly with any open- or closed-source language model. Extensive experiments demonstrate that TrustRAG delivers substantial improvements in retrieval accuracy, efficiency, and attack resistance.
Related benchmarks
| Task | Dataset | Result | Rank | |
|---|---|---|---|---|
| Retrieval Attack Defense | FiQA | ASR14 | 70 | |
| End-to-End Defense in RAG | HotpotQA | Attack Success Rate (ASR)24.5 | 69 | |
| End-to-End Defense in RAG | SciFact | ASR60 | 69 | |
| RAG Poisoning Attack Mitigation | NQ | -- | 15 | |
| Poisoning Defense | RAG Evaluation Datasets NQ, PubMedQA, TriviaQA | Contextual Recall59.4 | 7 | |
| Question Answering | MS Marco | Answerability Rate0.95 | 6 | |
| Question Answering | FiQA | Answerability Rate86 | 6 | |
| Question Answering | NQ | Answerability Rate64 | 6 | |
| Question Answering | HotpotQA | Answerability Rate66 | 6 | |
| Poison Defense ASR | MS Marco | ASR23.3 | 6 |