🤖 AI Summary
This study addresses the vulnerability of policy-aware large language model retrieval-augmented generation (PA-LLM-RAG) frameworks—designed for mission control in the Internet of Battlefield Things (IoBT)—to semantic poisoning attacks that can manipulate critical decisions. The work proposes the first query-agnostic semantic retrieval poisoning attack, which achieves 85% context contamination with only a 1.6% poisoning rate. To counter this threat, the authors introduce CLD-KB, a dual-detector defense framework that integrates One-Class SVM boundary detection with class-based membership diffusion analysis to efficiently identify poisoned content before it reaches the downstream large language model. Experimental results demonstrate that CLD-KB significantly outperforms five baseline methods in both detection accuracy and knowledge retention, while incurring only a 7ms overhead per task, making it suitable for edge deployment and real-world battlefield applications.
📝 Abstract
This paper presents an adversarial security study of the Policy-Aware LLM Retrieval-Augmented Generation (PA-LLM-RAG) framework for Internet of Battlefield Things (IoBT) mission control. We propose Query-Agnostic Semantic Retrieval Poisoning, a novel attack that injects semantically crafted rules into the IoBT knowledge base achieving high retrieval ranking across all operator query types without requiring knowledge of runtime prompts. The attack achieves 85% LLM context corruption from a single injected rule (1.6% poisoning rate) and saturates at 7.7% poisoning, demonstrating that even minimal knowledge base compromise is sufficient to corrupt mission decisions. To counter this threat, we propose CLD-KB (Cyber-Layered Defense for Knowledge Base), a dual-detector anomaly detection framework combining One-Class SVM boundary detection with a novel Member-Based Category Spread analysis that exploits the three-category IoBT policy taxonomy to identify poisoned rules before they reach the decision LLM. CLD-KB significantly outperforms five baseline methods including DBSCAN, LOF, K-Means, Isolation Forest, and One-Class SVM in both poisoning detection and knowledge preservation, with only 7ms computational overhead per mission, establishing it as an effective and edge-deployable defense for LLM-driven IoBT mission systems.