Supporting the Detection of Software Supply Chain Attacks through Unsupervised Signature Generation

TL;DR

This paper presents ACME, an unsupervised clustering method that automatically detects and generates signatures for malicious software packages in supply chains, significantly aiding in timely attack detection.

Contribution

It introduces a scalable, unsupervised approach for detecting malicious packages by clustering similar code and automatically generating signatures, reducing manual effort.

Findings

Achieved an F1 score of 0.99 in clustering malicious packages.

Successfully identified six malicious npm packages that were later removed.

Demonstrated the approach's potential to support automated detection in real-world scenarios.

Abstract

Trojanized software packages used in software supply chain attacks constitute an emerging threat. Unfortunately, there is still a lack of scalable approaches that allow automated and timely detection of malicious software packages and thus most detections are based on manual labor and expertise. However, it has been observed that most attack campaigns comprise multiple packages that share the same or similar malicious code. We leverage that fact to automatically reproduce manually identified clusters of known malicious packages that have been used in real world attacks, thus, reducing the need for expert knowledge and manual inspection. Our approach, AST Clustering using MCL to mimic Expertise (ACME), yields promising results with a $F_{1}$ score of 0.99. Signatures are automatically generated based on characteristic code fragments from clusters and are subsequently used to scan the whole npm registry for unreported malicious packages. We are able to identify and report six malicious packages that have been removed from npm consequentially. Therefore, our approach can support analysts by reducing manual labor and hence may be employed to timely detect possible software supply chain attacks.