ML Security PapersP-MIA: A Profiled-Based Membership Inference Attack on Cognitive Diagnosis Models
Mingliang Hou 1,2, Yinuo Wang 1, Teng Guo 1, Zitao Liu 1, Wenzhou Dou 1,2, Jiaqi Zheng 1, Renqiang Luo 3, Mi Tian 2, Weiqi Luo 1
Published on arXiv
2511.04716
Membership Inference Attack
OWASP ML Top 10 — ML04
Key Finding
The grey-box P-MIA attack, which exploits exposed internal knowledge state vectors (reverse-engineered from radar chart visualizations), significantly outperforms standard black-box membership inference baselines against cognitive diagnosis models.
P-MIA
Novel technique introduced
Cognitive diagnosis models (CDMs) are pivotal for creating fine-grained learner profiles in modern intelligent education platforms. However, these models are trained on sensitive student data, raising significant privacy concerns. While membership inference attacks (MIA) have been studied in various domains, their application to CDMs remains a critical research gap, leaving their privacy risks unquantified. This paper is the first to systematically investigate MIA against CDMs. We introduce a novel and realistic grey box threat model that exploits the explainability features of these platforms, where a model's internal knowledge state vectors are exposed to users through visualizations such as radar charts. We demonstrate that these vectors can be accurately reverse-engineered from such visualizations, creating a potent attack surface. Based on this threat model, we propose a profile-based MIA (P-MIA) framework that leverages both the model's final prediction probabilities and the exposed internal knowledge state vectors as features. Extensive experiments on three real-world datasets against mainstream CDMs show that our grey-box attack significantly outperforms standard black-box baselines. Furthermore, we showcase the utility of P-MIA as an auditing tool by successfully evaluating the efficacy of machine unlearning techniques and revealing their limitations.
Key Contributions
- First systematic investigation of membership inference attacks against cognitive diagnosis models, establishing a novel grey-box threat model that exploits knowledge state vectors exposed through learner profile visualizations (radar charts)
- P-MIA framework combining final prediction probabilities and reverse-engineered internal knowledge state vectors as features, significantly outperforming black-box baselines
- Application of P-MIA as an auditing tool to quantify the limitations of machine unlearning techniques on CDMs
🛡️ Threat Analysis
The paper's primary contribution is P-MIA, a novel membership inference attack that determines whether a specific student's interaction records were used to train a cognitive diagnosis model — the canonical MIA binary question. The grey-box threat model uniquely exploits internal knowledge state vectors exposed via radar chart visualizations for explainability.