Jump to pattern

More Queries Means More Attack Surface

Why generating multiple query variants multiplies injection opportunities

The Conventional Framing

Multi-Query Retrieval generates multiple variants of the original query, runs retrieval for each, and merges results. Different phrasings surface different relevant documents.

The pattern improves recall by approaching the search from multiple angles.

Why This Multiplies Risk

Each query variant is a separate injection opportunity. If one variant is manipulated to retrieve malicious content, that content enters the merged results alongside legitimate documents.

Attackers only need to manipulate one variant to pollute the final result set.

Architecture

Components:

Variant generator— creates multiple query versions
Query variants— different phrasings of the same question
Parallel retrieval— searches for each variant
Result merger— combines and deduplicates results

Trust Boundaries

Original: "Company benefits policy" Variants generated: ├── "employee benefits handbook" (clean) ├── "company perks and compensation" (clean) └── [INJECTED] "confidential salary ranges" (poisoned) Merged results include documents from ALL queries. One poisoned variant pollutes the result set.

Query → Variant generator — injection affects all variants
Variants → Retrievals — each variant is an attack opportunity
Merge → Output — poisoned results mixed with clean ones

Threat Surface

Threat	Vector	Impact
Variant poisoning	One manipulated variant retrieves malicious content	Poisoned content in merged results
Surface multiplication	N variants = N injection opportunities	Increased probability of successful attack
Dilution attack	Generate many variants that retrieve specific content	Overwhelm legitimate results with targeted content

The ZIVIS Position

•
Attack surface scales with variant count.Every variant you generate is another chance for injection to succeed. Minimize variant count or validate each independently.
•
Validate each variant.Before searching with a variant, check it's semantically close to the original query. Reject divergent variants.
•
Track result provenance.Know which variant retrieved which document. Anomalies in which variants return what can indicate attacks.

What We Tell Clients

Multi-query retrieval trades security for recall. Each additional query variant is another injection opportunity.

Keep variant counts low, validate each variant against the original query, and track which variants retrieved which documents. Unusual retrieval patterns may indicate variant manipulation.

Related Patterns

Query Rewriting— single rewrite vs. multiple variants
Fusion Retrieval— combining retrieval methods instead of query variants