Redirecting to original paper in 30 seconds...

Click below to go immediately or wait for automatic redirect

arxiv_ml 85% Match Research Paper Software Developers,Security Engineers,Researchers in Software Security 3 weeks ago

Leveraging Code Cohesion Analysis to Identify Source Code Supply Chain Attacks

ai-safety › robustness
📄 Abstract

Abstract: Supply chain attacks significantly threaten software security with malicious code injections within legitimate projects. Such attacks are very rare but may have a devastating impact. Detecting spurious code injections using automated tools is further complicated as it often requires deciphering the intention of both the inserted code and its context. In this study, we propose an unsupervised approach for highlighting spurious code injections by quantifying cohesion disruptions in the source code. Using a name-prediction-based cohesion (NPC) metric, we analyze how function cohesion changes when malicious code is introduced compared to natural cohesion fluctuations. An analysis of 54,707 functions over 369 open-source C++ repositories reveals that code injection reduces cohesion and shifts naming patterns toward shorter, less descriptive names compared to genuine function updates. Considering the sporadic nature of real supply-chain attacks, we evaluate the proposed method with extreme test-set imbalance and show that monitoring high-cohesion functions with NPC can effectively detect functions with injected code, achieving a Precision@100 of 36.41% at a 1:1,000 ratio and 12.47% at 1:10,000. These results suggest that automated cohesion measurements, in general, and name-prediction-based cohesion, in particular, may help identify supply chain attacks, improving source code integrity.
Authors (6)
Maor Reuben
Ido Mendel
Or Feldman
Moshe Kravchik
Mordehai Guri
Rami Puzis
Submitted
October 16, 2025
arXiv Category
cs.SE
arXiv PDF

Key Contributions

This paper proposes an unsupervised approach using a name-prediction-based cohesion (NPC) metric to identify spurious code injections in software supply chains. By quantifying cohesion disruptions and analyzing shifts in naming patterns, the method aims to detect malicious code insertions that are difficult to identify with traditional automated tools.

Business Value

Enhances the security of software development pipelines by providing automated tools to detect potentially malicious code injected into legitimate projects, thereby reducing the risk of devastating supply chain attacks.

Paper Metadata

Innovation Type

Algorithmic

Deployment Feasibility

Feasible, as it relies on static code analysis and a quantifiable metric, making it potentially integrable into CI/CD pipelines.

Limitations Addressed

Addresses the difficulty of detecting malicious code injections in legitimate projects, especially given their rare but devastating impact, and the challenge of deciphering the intention of inserted code and its context.

Technical Tags

supply chain securitycode cohesionunsupervised learningname predictionsoftware securitystatic analysiscode injection detectionC++ repositoriesanomaly detection

Research Topics

Software SecurityCode AnalysisMachine Learning for SecuritySupply Chain AttacksAnomaly Detection

Methods & Architectures

Name-prediction-based cohesion (NPC) metricUnsupervised learningCohesion analysis

Applications & Tasks

Software Development Cybersecurity Security Vulnerability DetectionMalicious Code Injection Identifying spurious code injectionsDetecting supply chain attacks

Related Fields

Software EngineeringCybersecurityMachine LearningStatic Analysis

Keywords

supply chain attackssoftware securitycode cohesionunsupervised learninganomaly detectionmalicious codestatic analysisC++repository analysissecurity vulnerabilitiescode injectionNPC metric

Academic Context

#Software Security#Code Analysis#Machine Learning for Security#Supply Chain Attacks#Anomaly Detection

Technology Stack

Programming Languages
C++

Commercial Potential

Potential Products
Automated security scanning toolsCI/CD security plugins
Target Industries
Software DevelopmentTechnologyFinanceHealthcare
Use Case Examples
Scanning open-source libraries for malicious injectionsAuditing code before integration into production systems
Competitive Edge
Offers an unsupervised approach that focuses on code cohesion, potentially complementing signature-based or behavioral analysis methods for supply chain attack detection.

Resource Requirements

Compute Needs
Moderate, likely requiring standard computational resources for static code analysis.
Data Requirements
Large corpus of source code repositories (e.g., C++ projects).
Deployment Constraints
Requires access to source code; effectiveness may depend on the complexity and nature of injected code.
Scalability
Scalability depends on the efficiency of the cohesion analysis and the size of the codebase being analyzed.

Production Readiness

Maturity Level

Research

View Full Paper Back to Papers