This paper addresses the challenging problem of stealthy membership inference attacks against knowledge base documents in Retrieval-Augmented Generation (RAG) systems. We propose a black-box attack method that is highly stealthy and low-overhead. Our core innovation lies in constructing natural language queries subject to semantic answerability constraints: a query is semantically well-posed—and thus likely to elicit a confident, coherent response—only if the target document is present in the knowledge base, thereby evading existing detection mechanisms. The method integrates semantic-driven query generation with context-sensitive reasoning analysis, requiring no access to model internals or training data. Experiments demonstrate that our approach achieves a true positive rate (TPR) twice as high as prior methods at a 1% false positive rate, while reducing detection rates by 76×. For single-document inference, it requires only ~30 queries per target, costing under $0.02, and exhibits strong robustness and stealth across diverse RAG configurations.

Retrieval-Augmented Generation (RAG) enables Large Language Models (LLMs) to generate grounded responses by leveraging external knowledge databases without altering model parameters. Although the absence of weight tuning prevents leakage via model parameters, it introduces the risk of inference adversaries exploiting retrieved documents in the model's context. Existing methods for membership inference and data extraction often rely on jailbreaking or carefully crafted unnatural queries, which can be easily detected or thwarted with query rewriting techniques common in RAG systems. In this work, we present Interrogation Attack (IA), a membership inference technique targeting documents in the RAG datastore. By crafting natural-text queries that are answerable only with the target document's presence, our approach demonstrates successful inference with just 30 queries while remaining stealthy; straightforward detectors identify adversarial prompts from existing methods up to ~76x more frequently than those generated by our attack. We observe a 2x improvement in TPR@1%FPR over prior inference attacks across diverse RAG configurations, all while costing less than $0.02 per document inference.