Table of Contents
Fetching ...

Operational Runtime Behavior Mining for Open-Source Supply Chain Security

Zhuoran Tan, Ke Xiao, Jeremy Singer, Christos Anagnostopoulos

TL;DR

This work tackles the challenge of software supply chain security when source code is unavailable by mining runtime behavior from sandboxed executions. It introduces HeteroGAT-Rank, an attention-based heterogeneous graph learning framework that ranks observable runtime signals within per-package one-hop graphs to aid analyst-in-the-loop threat hunting. The approach leverages cross-ecosystem runtime traces, scalable graph construction, and a composite loss to produce interpretable pivots (e.g., file paths, commands, DNS, sockets) that align with real-world vulnerability and attack trends. The study demonstrates operational viability at scale, offering actionable indicators that feed into hunting workflows while emphasizing interpretability, cross-ecosystem generalization, and practical deployment considerations for security teams.

Abstract

Open-source software (OSS) is a critical component of modern software systems, yet supply chain security remains challenging in practice due to unavailable or obfuscated source code. Consequently, security teams often rely on runtime observations collected from sandboxed executions to investigate suspicious third-party components. We present HeteroGAT-Rank, an industry-oriented runtime behavior mining system that supports analyst-in-the-loop supply chain threat investigation. The system models execution-time behaviors of OSS packages as lightweight heterogeneous graphs and applies attention-based graph learning to rank behavioral patterns that are most relevant for security analysis. Rather than aiming for fully automated detection, HeteroGAT-Rank surfaces actionable runtime signals - such as file, network, and command activities - to guide manual investigation and threat hunting. To operate at ecosystem scale, the system decouples offline behavior mining from online analysis and integrates parallel graph construction for efficient processing across multiple ecosystems. An evaluation on a large-scale OSS execution dataset shows that HeteroGAT-Rank effectively highlights meaningful and interpretable behavioral indicators aligned with real-world vulnerability and attack trends, supporting practical security workflows under realistic operational constraints.

Operational Runtime Behavior Mining for Open-Source Supply Chain Security

TL;DR

This work tackles the challenge of software supply chain security when source code is unavailable by mining runtime behavior from sandboxed executions. It introduces HeteroGAT-Rank, an attention-based heterogeneous graph learning framework that ranks observable runtime signals within per-package one-hop graphs to aid analyst-in-the-loop threat hunting. The approach leverages cross-ecosystem runtime traces, scalable graph construction, and a composite loss to produce interpretable pivots (e.g., file paths, commands, DNS, sockets) that align with real-world vulnerability and attack trends. The study demonstrates operational viability at scale, offering actionable indicators that feed into hunting workflows while emphasizing interpretability, cross-ecosystem generalization, and practical deployment considerations for security teams.

Abstract

Open-source software (OSS) is a critical component of modern software systems, yet supply chain security remains challenging in practice due to unavailable or obfuscated source code. Consequently, security teams often rely on runtime observations collected from sandboxed executions to investigate suspicious third-party components. We present HeteroGAT-Rank, an industry-oriented runtime behavior mining system that supports analyst-in-the-loop supply chain threat investigation. The system models execution-time behaviors of OSS packages as lightweight heterogeneous graphs and applies attention-based graph learning to rank behavioral patterns that are most relevant for security analysis. Rather than aiming for fully automated detection, HeteroGAT-Rank surfaces actionable runtime signals - such as file, network, and command activities - to guide manual investigation and threat hunting. To operate at ecosystem scale, the system decouples offline behavior mining from online analysis and integrates parallel graph construction for efficient processing across multiple ecosystems. An evaluation on a large-scale OSS execution dataset shows that HeteroGAT-Rank effectively highlights meaningful and interpretable behavioral indicators aligned with real-world vulnerability and attack trends, supporting practical security workflows under realistic operational constraints.
Paper Structure (50 sections, 4 figures, 6 tables, 1 algorithm)

This paper contains 50 sections, 4 figures, 6 tables, 1 algorithm.

Figures (4)

  • Figure 1: Knowledge Graph Construction Pipeline
  • Figure 2: Record-to-Graph Example
  • Figure 3: HeteroGAT-Rank Framework
  • Figure 4: Training Loss Comparison Across Models