Operational Runtime Behavior Mining for Open-Source Supply Chain Security

• URL: http://arxiv.org/abs/2601.06948v1
• Date: Sun, 11 Jan 2026 15:14:18 GMT
• Title: Operational Runtime Behavior Mining for Open-Source Supply Chain Security
• Authors: Zhuoran Tan, Ke Xiao, Jeremy Singer, Christos Anagnostopoulos,
• Abstract summary: HeteroGAT-Rank is an industry-oriented runtime behavior mining system.<n>It surfaces actionable runtime signals to guide manual investigation and threat hunting.<n>An evaluation on a large-scale OSS execution dataset shows that HeteroGAT-Rank effectively highlights meaningful and interpretable behavioral indicators.
• Score: 2.9552238960255255
• License: http://creativecommons.org/licenses/by/4.0/
• Abstract: Open-source software (OSS) is a critical component of modern software systems, yet supply chain security remains challenging in practice due to unavailable or obfuscated source code. Consequently, security teams often rely on runtime observations collected from sandboxed executions to investigate suspicious third-party components. We present HeteroGAT-Rank, an industry-oriented runtime behavior mining system that supports analyst-in-the-loop supply chain threat investigation. The system models execution-time behaviors of OSS packages as lightweight heterogeneous graphs and applies attention-based graph learning to rank behavioral patterns that are most relevant for security analysis. Rather than aiming for fully automated detection, HeteroGAT-Rank surfaces actionable runtime signals - such as file, network, and command activities - to guide manual investigation and threat hunting. To operate at ecosystem scale, the system decouples offline behavior mining from online analysis and integrates parallel graph construction for efficient processing across multiple ecosystems. An evaluation on a large-scale OSS execution dataset shows that HeteroGAT-Rank effectively highlights meaningful and interpretable behavioral indicators aligned with real-world vulnerability and attack trends, supporting practical security workflows under realistic operational constraints.

Related papers

• Just Ask: Curious Code Agents Reveal System Prompts in Frontier LLMs [65.6660735371212]
  We present textbftextscJustAsk, a framework that autonomously discovers effective extraction strategies through interaction alone.<n>It formulates extraction as an online exploration problem, using Upper Confidence Bound--based strategy selection and a hierarchical skill space spanning atomic probes and high-level orchestration.<n>Our results expose system prompts as a critical yet largely unprotected attack surface in modern agent systems.
  arXiv  Detail & Related papers  (2026-01-29T03:53:25Z)
• ORCA -- An Automated Threat Analysis Pipeline for O-RAN Continuous Development [57.61878484176942]
  Open-Radio Access Network (O-RAN) integrates numerous software components in a cloud-like deployment, opening the radio access network to previously unconsidered security threats.<n>Current vulnerability assessment practices often rely on manual, labor-intensive, and subjective investigations, leading to inconsistencies in the threat analysis.<n>We propose an automated pipeline that leverages Natural Language Processing (NLP) to minimize human intervention and associated biases.
  arXiv  Detail & Related papers  (2026-01-20T07:31:59Z)
• CaMeLs Can Use Computers Too: System-level Security for Computer Use Agents [60.98294016925157]
  AI agents are vulnerable to prompt injection attacks, where malicious content hijacks agent behavior to steal credentials or cause financial loss.<n>We introduce Single-Shot Planning for CUAs, where a trusted planner generates a complete execution graph with conditional branches before any observation of potentially malicious content.<n>Although this architectural isolation successfully prevents instruction injections, we show that additional measures are needed to prevent Branch Steering attacks.
  arXiv  Detail & Related papers  (2026-01-14T23:06:35Z)
• GraphFaaS: Serverless GNN Inference for Burst-Resilient, Real-Time Intrusion Detection [13.23114511657902]
  Provenance-based intrusion detection is an increasingly popular application of graphical machine learning in cybersecurity.<n>Traditional statically-provisioned Graph Networks (GNNs) fall short in meeting two crucial demands of intrusion detection.<n>We present GraphF, a serverless architecture tailored for GNN-based intrusion detection.
  arXiv  Detail & Related papers  (2025-11-13T17:55:06Z)
• Toward Automated Security Risk Detection in Large Software Using Call Graph Analysis [0.30586855806896035]
  This paper investigates the automation of software threat modeling through the clustering of call graphs using density-based and community detection algorithms.<n>The proposed method was evaluated through a case study of the Splunk Forwarder Operator (SFO), wherein selected clustering metrics were applied to the software's call graph to assess pertinent code-density security weaknesses.
  arXiv  Detail & Related papers  (2025-10-30T15:43:59Z)
• Just-in-time Episodic Feedback Hinter: Leveraging Offline Knowledge to Improve LLM Agents Adaptation [77.90555621662345]
  We present JEF Hinter, an agentic system that distills offline traces into compact, context-aware hints.<n>A zooming mechanism highlights decisive steps in long trajectories, capturing both strategies and pitfalls.<n>Experiments on MiniWoB++, WorkArena-L1, and WebArena-Lite show that JEF Hinter consistently outperforms strong baselines.
  arXiv  Detail & Related papers  (2025-10-05T21:34:42Z)
• Distributed Temporal Graph Learning with Provenance for APT Detection in Supply Chains [4.3627234063853955]
  Advanced persistent threats (APTs) frequently leverage supply chain vulnerabilities (SCVs) as entry points.<n>Current defense strategies primarly focus on blockchain for integrity assurance or detection using plain-text source code analysis in open-source software (OSS)<n>We propose a novel approach that integrates multi-source data, constructs a comprehensive dynamic graph provenance, and detects APT behavior in real time using temporal graph learning.
  arXiv  Detail & Related papers  (2025-04-03T06:42:26Z)
• Exploring Answer Set Programming for Provenance Graph-Based Cyber Threat Detection: A Novel Approach [4.302577059401172]
  Provenance graphs are useful tools for representing system-level activities in cybersecurity.<n>This paper presents a novel approach using ASP to model and analyze provenance graphs.
  arXiv  Detail & Related papers  (2025-01-24T14:57:27Z)
• Code-as-Monitor: Constraint-aware Visual Programming for Reactive and Proactive Robotic Failure Detection [56.66677293607114]
  We propose Code-as-Monitor (CaM) for both open-set reactive and proactive failure detection.<n>To enhance the accuracy and efficiency of monitoring, we introduce constraint elements that abstract constraint-related entities.<n>Experiments show that CaM achieves a 28.7% higher success rate and reduces execution time by 31.8% under severe disturbances.
  arXiv  Detail & Related papers  (2024-12-05T18:58:27Z)
• OSPtrack: A Labeled Dataset Targeting Simulated Execution of Open-Source Software [0.0]
  This dataset includes 9,461 package reports, of which 1,962 are identified as malicious.<n>The dataset includes both static and dynamic features such as files, sockets, commands, and DNS records.<n>This dataset supports runtime detection, enhances detection model training, and enables efficient comparative analysis across ecosystems.
  arXiv  Detail & Related papers  (2024-11-22T10:07:42Z)
• Software Vulnerability Detection via Deep Learning over Disaggregated Code Graph Representation [57.92972327649165]
  This work explores a deep learning approach to automatically learn the insecure patterns from code corpora. Because code naturally admits graph structures with parsing, we develop a novel graph neural network (GNN) to exploit both the semantic context and structural regularity of a program.
  arXiv  Detail & Related papers  (2021-09-07T21:24:36Z)
• Graph Backdoor [53.70971502299977]
  We present GTA, the first backdoor attack on graph neural networks (GNNs) GTA departs in significant ways: it defines triggers as specific subgraphs, including both topological structures and descriptive features. It can be instantiated for both transductive (e.g., node classification) and inductive (e.g., graph classification) tasks.
  arXiv  Detail & Related papers  (2020-06-21T19:45:30Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.