Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

SynthChain: A Synthetic Benchmark and Forensic Analysis of Advanced and Stealthy Software Supply Chain Attacks

Zhuoran Tan, Wenbo Guo, Taylor Brierley, Jiewen Luo, Jeremy Singer, Christos Anagnostopoulos

Abstract

Advanced software supply chain (SSC) attacks are increasingly runtime-only and leave fragmented evidence across hosts, services, and build/dependency layers, so any single telemetry stream is inherently insufficient to reconstruct full compromise chains under realistic access and budget limits. We present SynthChain, a near-production testbed and a multi-source runtime dataset with chain-level ground truth, derived from real-world malicious packages and exploit campaigns. SynthChain covers seven representative supply-chain exploit scenarios across PyPI, npm, and a native C/C++ supply-chain case, spanning Windows and Linux, and involving four hosts and one containerized environment. Scenarios span realistic time windows from minutes to hours and are annotated with 14 MITRE ATT&CK tactics and 161 techniques (29-104 techniques per scenario). Beyond releasing the data, we quantify observability constraints by mapping each chain step to the minimum evidence needed for detection and cross-source correlation. With realistic trace availability, no single source is chain-complete: the best single source reaches only 0.391 weighted tag/step coverage and 0.403 mean chain reconstruction. Even minimal two-source fusion boosts coverage to 0.636 and reconstruction to 0.639 (approximately 1.6x gain), with consistent chain coverage/recall improvements (0.545). The corpus contains approximately 0.58M raw multi-source events and 1.50M evaluation rows, enabling controlled studies of detection under constrained telemetry. We release the dataset, ground truth, and artifacts to support reproducible, forensic-aware runtime defenses and to guide efficient detection for software supply chains.

SynthChain: A Synthetic Benchmark and Forensic Analysis of Advanced and Stealthy Software Supply Chain Attacks

Abstract

Advanced software supply chain (SSC) attacks are increasingly runtime-only and leave fragmented evidence across hosts, services, and build/dependency layers, so any single telemetry stream is inherently insufficient to reconstruct full compromise chains under realistic access and budget limits. We present SynthChain, a near-production testbed and a multi-source runtime dataset with chain-level ground truth, derived from real-world malicious packages and exploit campaigns. SynthChain covers seven representative supply-chain exploit scenarios across PyPI, npm, and a native C/C++ supply-chain case, spanning Windows and Linux, and involving four hosts and one containerized environment. Scenarios span realistic time windows from minutes to hours and are annotated with 14 MITRE ATT&CK tactics and 161 techniques (29-104 techniques per scenario). Beyond releasing the data, we quantify observability constraints by mapping each chain step to the minimum evidence needed for detection and cross-source correlation. With realistic trace availability, no single source is chain-complete: the best single source reaches only 0.391 weighted tag/step coverage and 0.403 mean chain reconstruction. Even minimal two-source fusion boosts coverage to 0.636 and reconstruction to 0.639 (approximately 1.6x gain), with consistent chain coverage/recall improvements (0.545). The corpus contains approximately 0.58M raw multi-source events and 1.50M evaluation rows, enabling controlled studies of detection under constrained telemetry. We release the dataset, ground truth, and artifacts to support reproducible, forensic-aware runtime defenses and to guide efficient detection for software supply chains.
Paper Structure (117 sections, 4 equations, 11 figures, 18 tables, 1 algorithm)

This paper contains 117 sections, 4 equations, 11 figures, 18 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Key challenge: observability limits in realistic deployments.
  3. Our approach.
  4. What we find: single-source is not enough while more is not always better.
  5. Limitations of Existing Telemetry for Advanced Supply-Chain Attack Analysis
  6. Scope and Threat Coverage
  7. Fragmented Observability of Advanced Supply-Chain Attacks
  8. Synthetic Data Generation and the Lack of Cross-Source Alignment
  9. Related Work
  10. Dataset Comparison
  11. Statistical Analysis of Malicious Packages
  12. Methodology
  13. Setting Up
  14. Collected Data
  15. Telemetry variability and trust domains.
  16. ...and 102 more sections

Figures (11)

  • Figure 1: Simulation Workflow and Analysis Pipeline
  • Figure 2: Stegano and Starter Attack Flow
  • Figure 3: SC1 attack lifecycle. Phases are color-coded: setup (green), initial access and execution (red), C2 establishment (purple), and exfiltration (orange). MITRE ATT&CK technique IDs appear below each phase transition.
  • Figure 4: Distributions of malicious semantics and trigger/evasion mechanisms.
  • Figure 5: SC1 network traffic analysis. (a) Traffic volume per destination IP on logarithmic scale, showing 265 MB received from the payload server versus 2.1 MB sent. (b) Connection timeline in 5-minute intervals, with sustained C2 activity (purple) and payload retrieval (red) visible throughout the attack window. (c) Destination port distribution, where SSH (port 22) accounts for 46 connections exclusively from Python processes. (d) C2 channel traffic pattern exhibiting irregular beacon intervals ($\mu = 4.2$ min, $\sigma = 1.8$ min).
  • ...and 6 more figures