This study addresses the vulnerability of large language model–based ranking systems to Generative Engine Optimization (GEO) attacks, wherein adversaries manipulate rankings by injecting semantic signals into product descriptions. The work presents the first systematic characterization and quantification of semantic manipulation across multiple dimensions—authority attribution, narrative intent, comparative claims, and temporal assertions—and demonstrates that existing defenses are entirely ineffective against such semantic-level attacks. To counter this threat, the authors propose SCI-Defense, a novel framework integrating perplexity-based detection (PPL), Semantic Integrity Scoring (SIS), and Inter-Candidate Detection (ICD), augmented with a cross-sample contrastive mechanism to identify manipulative content. Experiments on Amazon data show that SCI-Defense achieves recall rates of 1.000, 0.952, and 0.830 against String, Reasoning, and Review attacks, respectively, with perfect precision (1.000) and zero false positives, and effectively blocks String attacks on the MS MARCO benchmark.

LLM-based ranking systems are vulnerable to Generative Engine Optimization (GEO) attacks, where adversaries inject semantic signals into product descriptions to artificially boost rankings. We propose SCI-Defense, a three-component defense framework combining Perplexity detection (PPL), Semantic Integrity Scoring (SIS), and Inter-Candidate Detection (ICD). SIS evaluates four manipulation dimensions: Authority Attribution (AA), Narrative Purposiveness (NP), Comparative Claims (CA), and Temporal Claims (TC). Evaluated on 600 Amazon product descriptions across 6 categories, SCI-Defense achieves Precision=1.000 and FPR=0.000, with Recall of 1.000, 0.952, and 0.830 against String, Reasoning, and Review attacks respectively. On 600 MS MARCO web passages, String attacks are blocked with perfect recall while Review attacks yield near-zero recall, as web passages lack the persuasion-oriented signals that SIS targets in product descriptions. We demonstrate that existing defenses -- PPL-only filters, SafetyClf content classifiers, and paraphrasing -- achieve zero recall against semantic manipulation attacks. We further demonstrate new attacks such as Specification Amplification and Use-Case Saturation can expose semantic relevance manipulation as a structural defense blind spot that suggests directions for future research.