🤖 AI Summary
This work addresses the security and privacy risks inherent in Retrieval-Augmented Generation (RAG) systems—such as sensitive data leakage and knowledge base tampering—by proposing the first unified threat taxonomy that spans the entire RAG pipeline, including retrieval, context construction, and generation. It systematically analyzes attack surfaces across centralized, on-device (Micro-RAG), federated, and hybrid deployment paradigms, and integrates corresponding defense mechanisms leveraging techniques like differential privacy, secure aggregation, and encrypted retrieval. The study provides a comprehensive survey of existing research, clarifies the trade-offs between privacy and utility, highlights practical deployment challenges, and identifies critical open problems, thereby establishing a theoretical foundation and charting future directions for developing trustworthy, secure, and robust RAG systems.
📝 Abstract
Retrieval-Augmented Generation (RAG) has emerged as a dominant paradigm for enhancing large language models with external knowledge. By coupling retrieval mechanisms with generative models, RAG systems improve factual grounding and adaptability across domains. However, integrating retrieval pipelines introduces new security and privacy risks that extend beyond conventional language modeling threats. Sensitive information may be exposed through retrieval indices, query logs, context construction, or federated updates, while adversarial manipulation of knowledge bases can undermine trust in generated outputs. This survey provides a comprehensive examination of privacy and security challenges across RAG systems deployed in centralized, on-device (Micro-RAG), federated, and hybrid paradigms. We present a unified taxonomy of threat surfaces spanning the retrieval, context construction, and generation stages and systematically analyze attack classes, including membership inference, index inference, poisoning, gradient leakage, and collusion. We further review architectural, algorithmic, and cryptographic defenses, highlighting privacy-utility trade-offs and deployment considerations. Finally, we outline open research challenges toward building trustworthy, secure, and resilient RAG systems for real-world applications.