{"id":"https://openalex.org/W7152079604","doi":"https://doi.org/10.48550/arxiv.2604.04977","title":"Towards Predicting Multi-Vulnerability Attack Chains in Software Supply Chains from Software Bill of Materials Graphs","display_name":"Towards Predicting Multi-Vulnerability Attack Chains in Software Supply Chains from Software Bill of Materials Graphs","publication_year":2026,"publication_date":"2026-04-04","ids":{"openalex":"https://openalex.org/W7152079604","doi":"https://doi.org/10.48550/arxiv.2604.04977"},"language":null,"primary_location":{"id":"doi:10.48550/arxiv.2604.04977","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2604.04977","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"type":"preprint","indexed_in":["datacite"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://doi.org/10.48550/arxiv.2604.04977","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5124237675","display_name":"Laura Baird","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Baird, Laura","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"last","author":{"id":"https://openalex.org/A5133223253","display_name":"Armin Moin","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Moin, Armin","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]}],"institutions":[],"countries_distinct_count":0,"institutions_distinct_count":2,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":null,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":null,"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10734","display_name":"Information and Cyber Security","score":0.6643000245094299,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10734","display_name":"Information and Cyber Security","score":0.6643000245094299,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10260","display_name":"Software Engineering Research","score":0.1152999997138977,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.02370000071823597,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/software","display_name":"Software","score":0.6173999905586243},{"id":"https://openalex.org/keywords/classifier","display_name":"Classifier (UML)","score":0.5666999816894531},{"id":"https://openalex.org/keywords/component","display_name":"Component (thermodynamics)","score":0.48510000109672546},{"id":"https://openalex.org/keywords/vulnerability","display_name":"Vulnerability (computing)","score":0.4650000035762787},{"id":"https://openalex.org/keywords/vulnerability-assessment","display_name":"Vulnerability assessment","score":0.4578999876976013},{"id":"https://openalex.org/keywords/artificial-neural-network","display_name":"Artificial neural network","score":0.44020000100135803},{"id":"https://openalex.org/keywords/dependency-graph","display_name":"Dependency graph","score":0.40880000591278076},{"id":"https://openalex.org/keywords/component-based-software-engineering","display_name":"Component-based software engineering","score":0.3919000029563904},{"id":"https://openalex.org/keywords/graph","display_name":"Graph","score":0.38269999623298645}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7394000291824341},{"id":"https://openalex.org/C2777904410","wikidata":"https://www.wikidata.org/wiki/Q7397","display_name":"Software","level":2,"score":0.6173999905586243},{"id":"https://openalex.org/C95623464","wikidata":"https://www.wikidata.org/wiki/Q1096149","display_name":"Classifier (UML)","level":2,"score":0.5666999816894531},{"id":"https://openalex.org/C168167062","wikidata":"https://www.wikidata.org/wiki/Q1117970","display_name":"Component (thermodynamics)","level":2,"score":0.48510000109672546},{"id":"https://openalex.org/C95713431","wikidata":"https://www.wikidata.org/wiki/Q631425","display_name":"Vulnerability (computing)","level":2,"score":0.4650000035762787},{"id":"https://openalex.org/C167063184","wikidata":"https://www.wikidata.org/wiki/Q1400839","display_name":"Vulnerability assessment","level":3,"score":0.4578999876976013},{"id":"https://openalex.org/C124101348","wikidata":"https://www.wikidata.org/wiki/Q172491","display_name":"Data mining","level":1,"score":0.44339999556541443},{"id":"https://openalex.org/C50644808","wikidata":"https://www.wikidata.org/wiki/Q192776","display_name":"Artificial neural network","level":2,"score":0.44020000100135803},{"id":"https://openalex.org/C16311509","wikidata":"https://www.wikidata.org/wiki/Q4148050","display_name":"Dependency graph","level":3,"score":0.40880000591278076},{"id":"https://openalex.org/C174683762","wikidata":"https://www.wikidata.org/wiki/Q609588","display_name":"Component-based software engineering","level":4,"score":0.3919000029563904},{"id":"https://openalex.org/C132525143","wikidata":"https://www.wikidata.org/wiki/Q141488","display_name":"Graph","level":2,"score":0.38269999623298645},{"id":"https://openalex.org/C62913178","wikidata":"https://www.wikidata.org/wiki/Q7554361","display_name":"Software security assurance","level":4,"score":0.3727000057697296},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.36730000376701355},{"id":"https://openalex.org/C19768560","wikidata":"https://www.wikidata.org/wiki/Q320727","display_name":"Dependency (UML)","level":2,"score":0.35120001435279846},{"id":"https://openalex.org/C179717631","wikidata":"https://www.wikidata.org/wiki/Q2991667","display_name":"Multilayer perceptron","level":3,"score":0.3402000069618225},{"id":"https://openalex.org/C182590292","wikidata":"https://www.wikidata.org/wiki/Q989632","display_name":"Network security","level":2,"score":0.33959999680519104},{"id":"https://openalex.org/C119857082","wikidata":"https://www.wikidata.org/wiki/Q2539","display_name":"Machine learning","level":1,"score":0.3391999900341034},{"id":"https://openalex.org/C60908668","wikidata":"https://www.wikidata.org/wiki/Q690207","display_name":"Perceptron","level":3,"score":0.33379998803138733},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.3287000060081482},{"id":"https://openalex.org/C177264268","wikidata":"https://www.wikidata.org/wiki/Q1514741","display_name":"Set (abstract data type)","level":2,"score":0.3248000144958496},{"id":"https://openalex.org/C102379954","wikidata":"https://www.wikidata.org/wiki/Q2589940","display_name":"Call graph","level":2,"score":0.32440000772476196},{"id":"https://openalex.org/C120314980","wikidata":"https://www.wikidata.org/wiki/Q180634","display_name":"Distributed computing","level":1,"score":0.3206000030040741},{"id":"https://openalex.org/C126042441","wikidata":"https://www.wikidata.org/wiki/Q1324888","display_name":"Frame (networking)","level":2,"score":0.3163999915122986},{"id":"https://openalex.org/C2776836416","wikidata":"https://www.wikidata.org/wiki/Q1364844","display_name":"False alarm","level":2,"score":0.3100000023841858},{"id":"https://openalex.org/C34146451","wikidata":"https://www.wikidata.org/wiki/Q5048094","display_name":"Cascade","level":2,"score":0.30329999327659607},{"id":"https://openalex.org/C172776598","wikidata":"https://www.wikidata.org/wiki/Q7943570","display_name":"Vulnerability management","level":4,"score":0.3012999892234802},{"id":"https://openalex.org/C88230418","wikidata":"https://www.wikidata.org/wiki/Q131476","display_name":"Graph theory","level":2,"score":0.29420000314712524},{"id":"https://openalex.org/C207850805","wikidata":"https://www.wikidata.org/wiki/Q269608","display_name":"Reverse engineering","level":2,"score":0.27889999747276306},{"id":"https://openalex.org/C193435613","wikidata":"https://www.wikidata.org/wiki/Q2997928","display_name":"Connected component","level":2,"score":0.27379998564720154},{"id":"https://openalex.org/C31258907","wikidata":"https://www.wikidata.org/wiki/Q1301371","display_name":"Computer network","level":1,"score":0.26089999079704285},{"id":"https://openalex.org/C153180895","wikidata":"https://www.wikidata.org/wiki/Q7148389","display_name":"Pattern recognition (psychology)","level":2,"score":0.25529998540878296},{"id":"https://openalex.org/C117447612","wikidata":"https://www.wikidata.org/wiki/Q1412670","display_name":"Software quality","level":4,"score":0.2515999972820282}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.48550/arxiv.2604.04977","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2604.04977","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"article"}],"best_oa_location":{"id":"doi:10.48550/arxiv.2604.04977","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2604.04977","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"Software":[0,19],"supply":[1],"chain":[2],"security":[3,26],"compromises":[4],"often":[5],"stem":[6],"from":[7,165],"cascaded":[8],"interactions":[9],"of":[10,21,75,140,197,203],"vulnerabilities,":[11],"for":[12,25,130],"example,":[13],"between":[14],"multiple":[15],"vulnerable":[16],"components.":[17],"Yet,":[18],"Bill":[20],"Materials":[22],"(SBOM)-based":[23],"pipelines":[24],"analysis":[27],"typically":[28],"treat":[29],"scanner":[30,63],"findings":[31],"as":[32,65,82,100,126,143],"independent":[33],"per-CVE":[34],"(Common":[35],"Vulnerabilities":[36],"and":[37,62,90,102,178],"Exposures)":[38],"records.":[39],"We":[40,77,105],"propose":[41],"a":[42,53,66,72,107,116,127,148,188,200],"new":[43],"research":[44],"direction":[45],"based":[46],"on":[47,156,161,199],"learning":[48,131],"multi-vulnerability":[49,158],"attack":[50,206],"chains":[51],"through":[52],"novel":[54],"SBOM-driven":[55],"graph-learning":[56],"approach.":[57],"This":[58],"treats":[59],"SBOM":[60],"structure":[61],"outputs":[64],"dependency-constrained":[67],"evidence":[68],"graph":[69],"rather":[70],"than":[71],"flat":[73],"list":[74],"vulnerabilities.":[76],"represent":[78],"vulnerability-enriched":[79],"CycloneDX":[80],"SBOMs":[81,164,168],"heterogeneous":[83],"graphs":[84],"whose":[85],"nodes":[86],"capture":[87],"software":[88],"components":[89],"known":[91,124],"vulnerabilities":[92,142],"(i.e,":[93],"CVEs),":[94],"connected":[95],"by":[96],"typed":[97],"relations,":[98],"such":[99],"dependency":[101],"vulnerability":[103,125],"links.":[104],"train":[106],"Heterogeneous":[108],"Graph":[109],"Attention":[110],"Network":[111],"(HGAT)":[112],"to":[113],"predict":[114],"whether":[115],"component":[117,173],"is":[118],"associated":[119],"with":[120],"at":[121],"least":[122],"one":[123],"feasibility":[128],"check":[129],"over":[132],"this":[133],"structure.":[134],"Additionally,":[135],"we":[136],"frame":[137],"the":[138,166,171,182],"discovery":[139],"cascading":[141],"CVE-pair":[144],"link":[145],"prediction":[146],"using":[147],"lightweight":[149],"Multi-Layer":[150],"Perceptron":[151],"(MLP)":[152,186],"neural":[153],"network":[154],"trained":[155],"documented":[157,205],"chains.":[159,207],"Validated":[160],"200":[162],"real-world":[163],"Wild":[167],"public":[169],"dataset,":[170],"HGAT":[172],"classifier":[174],"achieves":[175,187],"91.03%":[176],"Accuracy":[177],"74.02%":[179],"F1-score,":[180],"while":[181],"cascade":[183],"predictor":[184],"model":[185],"Receiver":[189],"Operating":[190],"Characteristic":[191],"-":[192],"Area":[193],"Under":[194],"Curve":[195],"(ROC-AUC)":[196],"0.93":[198],"seed":[201],"set":[202],"35":[204]},"counts_by_year":[],"updated_date":"2026-06-11T09:08:48.828518","created_date":"2026-04-09T00:00:00"}