This work addresses the challenge in GraphRAG systems where conventional watermarking and strong encryption struggle to simultaneously safeguard intellectual property in proprietary knowledge graphs and meet low-latency requirements. To resolve this, the authors propose AURA, a novel framework that introduces data poisoning into GraphRAG for the first time. AURA pre-injects semantically plausible yet falsified distractors into the knowledge graph, causing unauthorized users to generate incorrect responses, while authorized users leverage cryptographic metadata tags and a lightweight key-based filter to remove these distractors with negligible overhead and retain 100% accuracy. By integrating adversarial graph perturbations with efficient authorization verification, AURA effectively thwarts private-model extraction attacks without requiring output monitoring. Experiments demonstrate that unauthorized systems suffer a drastic accuracy drop to 5.3%, and 80.2% of the injected distractors remain robust against sanitization attempts.

Graph Retrieval-Augmented Generation (GraphRAG) has emerged as a key technique for enhancing Large Language Models (LLMs) with proprietary Knowledge Graphs (KGs) in knowledge-intensive applications. As these KGs often represent an organization's highly valuable intellectual property (IP), they face a significant risk of theft for private use. In this scenario, attackers operate in isolated environments. This private-use threat renders passive defenses like watermarking ineffective, as they require output access for detection. Simultaneously, the low-latency demands of GraphRAG make strong encryption which incurs prohibitive overhead impractical. To address these challenges, we propose AURA, a novel framework based on Data Adulteration designed to make any stolen KG unusable to an adversary. Our framework pre-emptively injects plausible but false adulterants into the KG. For an attacker, these adulterants deteriorate the retrieved context and lead to factually incorrect responses. Conversely, for authorized users, a secret key enables the efficient filtering of all adulterants via encrypted metadata tags before they are passed to the LLM, ensuring query results remain completely accurate. Our evaluation demonstrates the effectiveness of this approach: AURA degrades the performance of unauthorized systems to an accuracy of just 5.3%, while maintaining 100% fidelity for authorized users with negligible overhead. Furthermore, AURA proves robust against various sanitization attempts, retaining 80.2% of its adulterants.