This paper addresses the practical limitation where attackers can observe only a subset of input features, and formally introduces the problem of Partial-Feature Membership Inference (PFMI). To solve PFMI, we propose MRAD, a two-stage attack framework: (1) gradient-based optimization to reconstruct missing features, and (2) ensemble-based anomaly detection to quantify a sample’s deviation from the training distribution, thereby inferring membership. Crucially, MRAD operates without requiring full-feature access—overcoming a key dependency of conventional membership inference attacks on complete feature visibility. Extensive experiments across multiple benchmark datasets demonstrate MRAD’s robustness: even with 40% feature missingness (e.g., on STL-10), it achieves an AUC of approximately 0.6. Moreover, MRAD exhibits broad applicability, being agnostic to both target model architectures and specific anomaly detectors.

Machine learning models have been shown to be susceptible to membership inference attack, which can be used to determine whether a given sample appears in the training data. Existing membership inference methods commonly assume that the adversary has full access to the features of the target sample. This assumption, however, does not hold in many real-world scenarios where only partial features information is available, thereby limiting the applicability of these methods. In this work, we study an inference scenario where the adversary observes only partial features of each sample and aims to infer whether this observed subset was present in the training set of the target model. We define this problem as Partial Feature Membership Inference (PFMI). To address this problem, we propose MRAD (Memory-guided Reconstruction and Anomaly Detection), a two-stage attack framework. In the first stage, MRAD optimizes the unknown feature values to minimize the loss of the sample. In the second stage, it measures the deviation between the reconstructed sample and the training distribution using anomaly detection. Empirical results demonstrate that MRAD is effective across a range of datasets, and maintains compatibility with various off-the-shelf anomaly detection techniques. For example, on STL-10, our attack achieves an AUC of around 0.6 even with 40% of the missing features.