Hub-Based Memory Poisoning: Query-Blind Attacks on Retrieval-Augmented LLM Agents
Advisor: Dr. Long Jiao, Computer & Information Science
Committee Members:
- Dr Joshua Carberry, Computer & Information Science
- Dr Amir Akhavan Masoumi, Computer & Information Science
Abstract:
AI agents have seen rapid adoption in recent years, and many of them now include a memory database that allows them to store information about their users and reference it across separate conversations. However, this feature also creates a new attack surface, where adversaries can inject poisoned memories into the database of an agent in order to degrade its performance. Previous research in this area has focused on attacks that either insert poisoned memories directly into the memory store or assume that the attacker knows in advance which questions the agent will be asked. This thesis attempts to poison a memory database without either of those capabilities, relying only on conversation history that has already been stored in memory and on knowledge of the type and retrieval policy of the memory system. From this corpus, it selects up to k conversations using closeness to the hubs of the memory database — regions of the embedding space where many unrelated user queries tend to retrieve from — as the guiding selection criterion. Conversations chosen in this way are disproportionately retrieved across a wide range of future queries, displacing legitimate context and broadly degrading the agent's responses. Results show that this is an effective way to reduce overall AI agent performance with minimal information about the agent itself. This research demonstrates that the embedding geometry of retrieval-based memory systems is itself a vulnerability: an adversary can exploit the structure of the embedding space without ever needing to know what the agent will be asked.
For further information please contact Dr. Long Jiao at ljiao@umassd.edu
Dion 311
Dr. Long Jiao
ljiao@umassd.edu