FuseChain: Runtime Evidence Reconstruction for Software Supply-Chain Attacks

📅 2026-06-14
📈 Citations: 0
Influential: 0
📄 PDF
🤖 AI Summary
This work addresses the challenge of detecting multi-stage, cross-source software supply chain attacks characterized by sparse forensic evidence, which existing runtime detection approaches struggle to analyze due to their inability to effectively integrate heterogeneous telemetry and reconstruct temporal attack context. The authors propose a decoupled architecture that constructs a unified timeline-based provenance graph, fusing multi-source data—including package dependencies, process events, network traffic, and security alerts—and employs a frozen anomaly detection backbone with lightweight stage-specific decoders to enable efficient and deployable attack stage reconstruction. This approach achieves the first runtime alignment of sparse, cross-source evidence along a common timeline, improving Stage Recall@500 from 0.369 to 0.881 across seven attack scenarios; with adaptive retrieval, the observable stage recall further increases to 0.655.
📝 Abstract
Software supply-chain (SSC) attacks are increasingly multi-stage, cross-source, and temporally distributed. A single attack campaign may leave weak and fragmented traces across multi-source telemetry that captures different granularities and perspectives of runtime behavior. Existing runtime detection systems often analyze these sources independently, making it difficult to identify low-frequency attack evidence or reconstruct the temporal context in which it appears. We present FUSECHAIN, a runtime detection framework that represents multi-source software supply-chain telemetry as a temporal heterogeneous provenance graph over a unified event-time axis. By aligning package/runtime traces, process events, network telemetry, DNS/HTTP metadata, and security alerts on a unified temporal graph, FuseChain captures cross-source dependencies and sparse attack evidence that may be ambiguous within any individual source. It learns anomaly-centric temporal representations from benign-prefix telemetry and performs deployable attack-stage reconstruction through a lightweight decoder on top of a frozen anomaly backbone. Our experiments show that jointly optimizing anomaly detection and stage prediction is ineffective under sparse and imbalanced runtime supply-chain telemetry. Across seven SSC attack scenarios, FuseChain improves deployable stage reconstruction from 0.369 to 0.881 Stage Recall@500 with a frozen-backbone decoder, while adaptive retrieval further increases observable-stage recall from 0.524 to 0.655 without modifying the detector. These results highlight the deployable value of decoupling runtime SSC anomaly detection from downstream attack-stage interpretation.
Problem

Research questions and friction points this paper is trying to address.

software supply-chain attacks
runtime telemetry
temporal context
attack evidence reconstruction
multi-source detection
Innovation

Methods, ideas, or system contributions that make the work stand out.

temporal heterogeneous provenance graph
multi-source telemetry fusion
frozen-backbone decoder
attack-stage reconstruction
software supply-chain security