Skip to main content

Open-source RAG poisoning detection. OWASP LLM08:2025 reference implementation.

Project description

embeddings-guardian

Open-source RAG poisoning detection. OWASP LLM08:2025 reference implementation.

License Python PyPI


What is RAG Poisoning?

Retrieval-Augmented Generation (RAG) systems retrieve documents from a vector database and feed them into an LLM as context. RAG poisoning is an attack where adversarial documents are injected into the vector store with crafted embeddings designed to:

  • Appear relevant to targeted queries (high cosine similarity)
  • Contain malicious, misleading, or policy-violating content
  • Hijack the LLM's output for specific topics

Research from Zou et al. (PoisonedRAG, 2024) demonstrated 97--99% attack success rates against production RAG systems, with poisoned documents retrieved in the top-k results for targeted queries. The attack requires injecting as few as 5 documents into a corpus of thousands.

This is tracked as OWASP LLM08:2025 -- Vector and Embedding Weaknesses.

Why It Matters

  • 97--99% attack success rate in academic evaluations
  • 5 poisoned documents can compromise a corpus of 10,000+
  • No built-in defenses in ChromaDB, Pinecone, Weaviate, or any major vector DB
  • Compliance risk for healthcare, finance, and regulated industries
  • Silent failure -- poisoned results look normal to end users

Quick Start (2 Minutes)

pip install embeddings-guardian
from embeddings_guardian import PoisoningDetector

# Initialize detector
detector = PoisoningDetector(algorithm="magnitude", sensitivity=0.95)

# Build baseline from your existing (trusted) embeddings
for embedding in your_corpus_embeddings:
    detector.update_baseline(embedding)

# Check new embeddings before inserting
is_poisoned, confidence, reason = detector.is_poisoned(new_embedding)

if is_poisoned:
    print(f"BLOCKED: {reason} (confidence: {confidence:.0%})")
else:
    # Safe to insert into your vector store
    collection.add(embedding=new_embedding)

Installation

Core only (numpy + scikit-learn):

pip install embeddings-guardian

With a specific backend:

pip install embeddings-guardian[chromadb]
pip install embeddings-guardian[pinecone]
pip install embeddings-guardian[weaviate]
pip install embeddings-guardian[qdrant]
pip install embeddings-guardian[milvus]
pip install embeddings-guardian[pgvector]
pip install embeddings-guardian[faiss]

All backends:

pip install embeddings-guardian[all]

Backend Integration

Use an adapter to get automatic pre-insert screening:

import chromadb
from embeddings_guardian import PoisoningDetector
from embeddings_guardian.backends import ChromaDBAdapter

client = chromadb.Client()
collection = client.get_or_create_collection("documents")

detector = PoisoningDetector(algorithm="magnitude", sensitivity=0.95)
adapter = ChromaDBAdapter(collection=collection, detector=detector)

# Calibrate from existing data
baseline = adapter.get_baseline_embeddings(sample_size=1000)
detector.update_baseline_batch(baseline)

# Upsert with automatic screening
adapter.upsert_embeddings(
    ids=["doc_1", "doc_2"],
    embeddings=vectors,
    metadata=[{"source": "trusted"}, {"source": "trusted"}],
)

Detection Algorithms

Algorithm Speed Best For How It Works
magnitude <0.5ms Real-time screening L2 norm z-score analysis
centroid ~1ms Semantic outliers Cosine distance to cluster centroids
neighborhood 5--10ms Sophisticated attacks k-NN density analysis
dimension <0.5ms Secondary checks Per-dimension z-score
ensemble varies Maximum accuracy Weighted combination of algorithms

Detection Modes

Mode Behavior
warn Log the detection, insert anyway
quarantine Flag in metadata, exclude from queries
strict Reject the embedding outright

Supported Vector Stores

Store Status Install
ChromaDB Full [chromadb]
Pinecone Full [pinecone]
Weaviate Full [weaviate]
Qdrant Full [qdrant]
Milvus Full [milvus]
pgvector Full [pgvector]
FAISS Testing/Research [faiss]

Documentation

Contributing

See CONTRIBUTING.md for development setup, testing, and pull request guidelines.

License

Apache License 2.0. See LICENSE.

References

  • Zou et al., "PoisonedRAG: Knowledge Corruption Attacks to Retrieval-Augmented Generation of Large Language Models," 2024
  • OWASP Top 10 for LLM Applications 2025 -- LLM08: Vector and Embedding Weaknesses
  • Xue et al., "BadRAG: Identifying Vulnerabilities in Retrieval Augmented Generation of Large Language Models," 2024
  • Zeng et al., "RevPRAG: Reverse Prompt Engineering for RAG Poisoning Detection," 2024

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

embeddings_guardian-0.1.0.tar.gz (31.2 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

embeddings_guardian-0.1.0-py3-none-any.whl (33.1 kB view details)

Uploaded Python 3

File details

Details for the file embeddings_guardian-0.1.0.tar.gz.

File metadata

  • Download URL: embeddings_guardian-0.1.0.tar.gz
  • Upload date:
  • Size: 31.2 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.12.3

File hashes

Hashes for embeddings_guardian-0.1.0.tar.gz
Algorithm Hash digest
SHA256 02c580be3c4c88957bf6b66e127677be582fe10d5e04cfab4238db38da9200b9
MD5 7f056042a0dfc2908a3b7e0ca4f445c2
BLAKE2b-256 fc1579653978dee1320566bbb13168d53edc05abfc15a9cbda68738518629c4c

See more details on using hashes here.

File details

Details for the file embeddings_guardian-0.1.0-py3-none-any.whl.

File metadata

File hashes

Hashes for embeddings_guardian-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 fff7341b6ad571cbf9a71df05fdc84902ae8c90d8cea0be52dbc099375a62a1e
MD5 81813f7985c95a435cd6d0e8c92baa72
BLAKE2b-256 02636deb421952923914acd4b48c902c4fe6b7fd1b4a5e54d2034930ba485d25

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page