Embedding Attacks
What is Embedding Attacks?
Embedding AttacksA class of attacks against AI embedding vectors that recover, alter, or abuse the original input or its semantics, including embedding inversion and similarity-based poisoning.
Embeddings are dense vector representations of text, images, or other data used by modern AI systems for search, recommendation, and RAG. Although embeddings were once considered opaque, research has shown that they often leak significant information about the source text. Embedding inversion attacks (e.g., the Vec2Text family) reconstruct the original sentence from its vector with surprising fidelity, breaking privacy assumptions for chatbot logs, medical notes, or proprietary documents stored in vector databases. Other embedding attacks include similarity poisoning, where adversaries craft inputs that hijack nearest-neighbor results in a RAG corpus, and membership-inference against embedding endpoints. Defences include encrypting vectors at rest, access control on similarity queries, query rate limits, dimensionality reduction, and treating embeddings as personal data under privacy regulations.
● Examples
- 01
Researchers reconstruct over 90% of sentence content from OpenAI embeddings using Vec2Text.
- 02
A poisoned document is embedded close to common HR queries, hijacking RAG answers.
● Frequently asked questions
What is Embedding Attacks?
A class of attacks against AI embedding vectors that recover, alter, or abuse the original input or its semantics, including embedding inversion and similarity-based poisoning. It belongs to the AI & ML Security category of cybersecurity.
What does Embedding Attacks mean?
A class of attacks against AI embedding vectors that recover, alter, or abuse the original input or its semantics, including embedding inversion and similarity-based poisoning.
How does Embedding Attacks work?
Embeddings are dense vector representations of text, images, or other data used by modern AI systems for search, recommendation, and RAG. Although embeddings were once considered opaque, research has shown that they often leak significant information about the source text. Embedding inversion attacks (e.g., the Vec2Text family) reconstruct the original sentence from its vector with surprising fidelity, breaking privacy assumptions for chatbot logs, medical notes, or proprietary documents stored in vector databases. Other embedding attacks include similarity poisoning, where adversaries craft inputs that hijack nearest-neighbor results in a RAG corpus, and membership-inference against embedding endpoints. Defences include encrypting vectors at rest, access control on similarity queries, query rate limits, dimensionality reduction, and treating embeddings as personal data under privacy regulations.
How do you defend against Embedding Attacks?
Defences for Embedding Attacks typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Embedding Attacks?
Common alternative names include: Embedding inversion, Vec2Text attack.
● Related terms
- ai-security№ 1198
Vector Database Security
The set of controls that protect vector databases used by AI systems from data leakage, poisoning, tenant cross-talk, and supply-chain or operational compromise.
- ai-security№ 897
RAG
Retrieval-Augmented Generation: an LLM pattern that fetches relevant documents from a knowledge store at query time and injects them into the prompt to ground responses.
- ai-security№ 281
Data Poisoning
An attack on a machine-learning system in which adversaries inject, alter, or relabel training data so the resulting model behaves incorrectly or contains hidden backdoors.
- ai-security№ 666
Membership Inference Attack
A privacy attack that determines whether a specific data record was part of a machine-learning model's training set by analysing the model's behaviour on that record.