Metadata-Version: 2.4
Name: ragdefender
Version: 0.2.0
Summary: Efficient defense against knowledge corruption attacks on RAG systems
Author-email: SecAI Lab <for8821@g.skku.edu>
Maintainer-email: Minseok Kim <for8821@g.skku.edu>
License: MIT
Project-URL: Homepage, https://github.com/SecAI-Lab/RAGDefender
Project-URL: Documentation, https://github.com/SecAI-Lab/RAGDefender/tree/main/docs
Project-URL: Repository, https://github.com/SecAI-Lab/RAGDefender.git
Project-URL: Bug Tracker, https://github.com/SecAI-Lab/RAGDefender/issues
Project-URL: Paper, https://doi.org/10.1109/ACSAC67867.2025.00093
Keywords: rag,retrieval-augmented-generation,security,adversarial-defense,nlp,machine-learning,knowledge-corruption,llm
Classifier: Development Status :: 3 - Alpha
Classifier: Intended Audience :: Developers
Classifier: Intended Audience :: Science/Research
Classifier: Topic :: Scientific/Engineering :: Artificial Intelligence
Classifier: Topic :: Security
Classifier: Topic :: Software Development :: Libraries :: Python Modules
Classifier: License :: OSI Approved :: MIT License
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.8
Classifier: Programming Language :: Python :: 3.9
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.11
Classifier: Operating System :: OS Independent
Requires-Python: >=3.8
Description-Content-Type: text/markdown
License-File: LICENSE
Requires-Dist: torch>=1.9.0
Requires-Dist: transformers>=4.20.0
Requires-Dist: numpy>=1.19.0
Requires-Dist: pandas>=1.2.0
Requires-Dist: tqdm>=4.60.0
Requires-Dist: scikit-learn>=0.24.0
Requires-Dist: sentence-transformers>=2.2.0
Provides-Extra: dev
Requires-Dist: pytest>=6.0; extra == "dev"
Requires-Dist: pytest-cov>=2.10; extra == "dev"
Requires-Dist: black>=21.0; extra == "dev"
Requires-Dist: flake8>=3.9; extra == "dev"
Requires-Dist: isort>=5.9; extra == "dev"
Requires-Dist: mypy>=0.900; extra == "dev"
Requires-Dist: pre-commit>=2.15; extra == "dev"
Provides-Extra: cuda
Requires-Dist: faiss-gpu>=1.7.0; extra == "cuda"
Provides-Extra: docs
Requires-Dist: sphinx>=4.0; extra == "docs"
Requires-Dist: sphinx-rtd-theme>=0.5; extra == "docs"
Requires-Dist: sphinx-autodoc-typehints>=1.12; extra == "docs"
Provides-Extra: all
Requires-Dist: ragdefender[dev]; extra == "all"
Requires-Dist: ragdefender[cuda]; extra == "all"
Requires-Dist: ragdefender[docs]; extra == "all"
Dynamic: license-file

# RAGDefender

Efficient post-retrieval defense against knowledge corruption attacks on
Retrieval-Augmented Generation (RAG) systems. Filters out adversarial passages
injected by PoisonedRAG / GARAG / Tan et al. before they reach your generator,
without retraining or extra LLM calls.

Official artifact for **"Rescuing the Unpoisoned: Efficient Defense against
Knowledge Corruption Attacks on RAG Systems"** — Kim, Lee, Koo (Sungkyunkwan
University), ACSAC 2025. DOI: [10.1109/ACSAC67867.2025.00093](https://doi.org/10.1109/ACSAC67867.2025.00093).

## Install

```bash
pip install ragdefender
```

## Use

```python
from ragdefender import RAGDefender

defender = RAGDefender(task_type="single_hop")  # or "multi_hop" for HotpotQA-style queries

safe_passages = defender.defend(
    query="What is the capital of France?",
    R=[
        "Paris is the capital of France, on the Seine.",
        "Lyon is the capital of France per 2024 records.",   # adversarial
        "Tourists visit Paris, the capital of France.",
        "The capital of France is Lyon, a major city.",      # adversarial
    ],
)
```

`safe_passages` contains the survivors after Stage 1 (estimate $N_{adv}$,
paper §4.1) and Stage 2 (pair-frequency TopK ranking, paper §4.2) drop the
detected adversarial passages.

## CLI

```bash
ragdefender info
ragdefender defend --query "..." --corpus passages.json --task-type single_hop
ragdefender evaluate --test-data test.json --attack poisonedrag --task-type single_hop
```

## Migrating from v0.1.1

`mode='multihop'` → `task_type='multi_hop'`, `similarity_model=` → `embedder=`,
`--attack blind` → `--attack tan-et-al`. Old spellings still work but emit
`DeprecationWarning`. Full rename table:
<https://github.com/SecAI-Lab/RAGDefender/blob/main/docs/migration-0.1-to-0.2.md>.

## Documentation

- Repository, examples, and the artifact-evaluation reproducibility scripts:
  <https://github.com/SecAI-Lab/RAGDefender>
- Tutorial: [QUICKSTART.md](https://github.com/SecAI-Lab/RAGDefender/blob/main/QUICKSTART.md)
- Algorithm walk-through (paper §4): [docs/algorithm.md](https://github.com/SecAI-Lab/RAGDefender/blob/main/docs/algorithm.md)

## Citation

```bibtex
@inproceedings{kim2025ragdefender,
  title     = {Rescuing the Unpoisoned: Efficient Defense against
               Knowledge Corruption Attacks on RAG Systems},
  author    = {Kim, Minseok and Lee, Hankook and Koo, Hyungjoon},
  booktitle = {Annual Computer Security Applications Conference (ACSAC)},
  year      = {2025},
  doi       = {10.1109/ACSAC67867.2025.00093},
}
```

## License

MIT. Intended for research and defensive use only.
