ML Security PapersMembership Inference Attack with Partial Features
Xurun Wang 1, Guangrui Liu 1, Xinjie Li 1, Haoyu He 2, Lin Yao 3, Zhongyun Hua 1, Weizhe Zhang 1
Published on arXiv
2508.06244
Membership Inference Attack
OWASP ML Top 10 — ML04
Key Finding
MRAD achieves AUC of ~0.75 on STL-10 even when 60% of the target sample's features are unobserved, outperforming baselines in the partial-feature MIA setting.
MRAD (Memory-guided Reconstruction and Anomaly Detection)
Novel technique introduced
Machine learning models are vulnerable to membership inference attack, which can be used to determine whether a given sample appears in the training data. Most existing methods assume the attacker has full access to the features of the target sample. This assumption, however, does not hold in many real-world scenarios where only partial features are available, thereby limiting the applicability of these methods. In this work, we introduce Partial Feature Membership Inference (PFMI), a scenario where the adversary observes only partial features of each sample and aims to infer whether this observed subset was present in the training set. To address this problem, we propose MRAD (Memory-guided Reconstruction and Anomaly Detection), a two-stage attack framework that works in both white-box and black-box settings. In the first stage, MRAD leverages the latent memory of the target model to reconstruct the unknown features of the sample. We observe that when the known features are absent from the training set, the reconstructed sample deviates significantly from the true data distribution. Consequently, in the second stage, we use anomaly detection algorithms to measure the deviation between the reconstructed sample and the training data distribution, thereby determining whether the known features belong to a member of the training set. Empirical results demonstrate that MRAD is effective across various datasets, and maintains compatibility with off-the-shelf anomaly detection techniques. For example, on STL-10, our attack exceeds an AUC of around 0.75 even with 60% of the missing features.
Key Contributions
- Defines the Partial Feature Membership Inference (PFMI) threat scenario where an adversary infers training membership from only a subset of a sample's features
- Proposes MRAD, a two-stage framework that first reconstructs missing features via the target model's latent memory, then applies anomaly detection to measure distributional deviation as a membership signal
- Demonstrates effectiveness in both white-box and black-box settings, achieving AUC ~0.75 on STL-10 with 60% of features missing
🛡️ Threat Analysis
The paper's sole contribution is a new MIA attack scenario (PFMI) and method (MRAD) — the adversary's goal is the canonical ML04 question: 'was this sample in the training set?' The partial-feature constraint is a novel threat model variant, not a separate category.