Open-source software (OSS) is a critical component of modern software systems, yet supply chain security remains challenging in practice due to unavailable or obfuscated source code. Consequently, security teams often rely on runtime observations collected from sandboxed executions to investigate suspicious third-party components. We present HeteroGAT-Rank, an industry-oriented runtime behavior mining system that supports analyst-in-the-loop supply chain threat investigation. The system models execution-time behaviors of OSS packages as lightweight heterogeneous graphs and applies attention-based graph learning to rank behavioral patterns that are most relevant for security analysis. Rather than aiming for fully automated detection, HeteroGAT-Rank surfaces actionable runtime signals - such as file, network, and command activities - to guide manual investigation and threat hunting. To operate at ecosystem scale, the system decouples offline behavior mining from online analysis and integrates parallel graph construction for efficient processing across multiple ecosystems. An evaluation on a large-scale OSS execution dataset shows that HeteroGAT-Rank effectively highlights meaningful and interpretable behavioral indicators aligned with real-world vulnerability and attack trends, supporting practical security workflows under realistic operational constraints.

翻译：开源软件是现代软件系统的关键组成部分，但由于源代码不可用或经过混淆，供应链安全在实践中仍面临挑战。因此，安全团队通常依赖从沙箱执行环境中收集的运行时观测数据来调查可疑的第三方组件。本文提出HeteroGAT-Rank，一个面向工业应用的运行时行为挖掘系统，支持分析师在环的供应链威胁调查。该系统将开源软件包在运行时的行为建模为轻量级异质图，并应用基于注意力的图学习技术对与安全分析最相关的行为模式进行排序。HeteroGAT-Rank并非追求完全自动化检测，而是呈现可操作的运行时信号——如文件、网络和命令活动——以指导人工调查和威胁狩猎。为了在生态系统规模上运行，该系统将离线行为挖掘与在线分析解耦，并集成并行图构建机制，以实现跨多个生态系统的高效处理。基于大规模开源软件执行数据集的评估表明，HeteroGAT-Rank能有效突出与真实世界漏洞及攻击趋势相符、具有意义且可解释的行为指标，在实际操作约束下支持实用的安全工作流程。