English

Benchmarking Knowledge-Extraction Attack and Defense on Retrieval-Augmented Generation

Cryptography and Security 2026-02-13 v2

Abstract

Retrieval-Augmented Generation (RAG) has become a cornerstone of knowledge-intensive applications, including enterprise chatbots, healthcare assistants, and agentic memory management. However, recent studies show that knowledge-extraction attacks can recover sensitive knowledge-base content through maliciously crafted queries, raising serious concerns about intellectual property theft and privacy leakage. While prior work has explored individual attack and defense techniques, the research landscape remains fragmented, spanning heterogeneous retrieval embeddings, diverse generation models, and evaluations based on non-standardized metrics and inconsistent datasets. To address this gap, we introduce the first systematic benchmark for knowledge-extraction attacks on RAG systems. Our benchmark covers a broad spectrum of attack and defense strategies, representative retrieval embedding models, and both open- and closed-source generators, all evaluated under a unified experimental framework with standardized protocols across multiple datasets. By consolidating the experimental landscape and enabling reproducible, comparable evaluation, this benchmark provides actionable insights and a practical foundation for developing privacy-preserving RAG systems in the face of emerging knowledge extraction threats. Our code is available here.

Keywords

Cite

@article{arxiv.2602.09319,
  title  = {Benchmarking Knowledge-Extraction Attack and Defense on Retrieval-Augmented Generation},
  author = {Zhisheng Qi and Utkarsh Sahu and Li Ma and Haoyu Han and Ryan Rossi and Franck Dernoncourt and Mahantesh Halappanavar and Nesreen Ahmed and Yushun Dong and Yue Zhao and Yu Zhang and Yu Wang},
  journal= {arXiv preprint arXiv:2602.09319},
  year   = {2026}
}
R2 v1 2026-07-01T10:29:00.921Z