E-MIA: Black-Box Membership Inference Attacks on RAG Systems

A new attack method, E-MIA, targets Retrieval-Augmented Generation (RAG) systems by inferring whether a specific document is part of the knowledge base. Under a black-box setting, an adversary can determine document membership solely from query response interactions, leaking sensitive corpus coverage. Existing RAG membership inference attack (MIA) methods rely on soft signals like semantic similarity, which produce overlapping score distributions, or use explicit confirmation probes that are easily detected. E-MIA converts verifiable hard evidence from the target document—such as fine-grained details, proper nouns, technical terms, definitional statements, and metadata—into effective probes. The method is designed to be stealthy and robust against refusal or detection. The paper is published on arXiv with ID 2605.00955.