Towards Predicting Multi-Vulnerability Attack Chains in Software Supply Chains from Software Bill of Materials Graphs

Researchers Laura Baird and Armin Moin have introduced a novel AI-driven approach to predict complex, cascading software vulnerabilities, a critical weakness in modern software supply chains. Their research, accepted for ACM FSE 2026, addresses the limitation of current security tools that treat vulnerabilities as independent CVE records. Instead, they model the entire Software Bill of Materials (SBOM) as a heterogeneous graph, where nodes represent components and known vulnerabilities (CVEs), connected by dependency and vulnerability links. This structure allows their AI to understand the relationships and potential attack paths between weaknesses.

They developed a two-part machine learning system. First, a Heterogeneous Graph Attention Network (HGAT) classifies whether a software component is vulnerable, achieving 91.03% accuracy and a 74.02% F1-score. Second, a lightweight Multi-Layer Perceptron (MLP) neural network is trained to perform link prediction, specifically identifying pairs of vulnerabilities that can be chained together in an attack. This cascade predictor model demonstrated a high-performance ROC-AUC score of 0.93 when validated on 200 real-world SBOMs from the public Wild SBOMs dataset and a seed set of 35 documented multi-step attack chains. This represents a significant shift from flat-list vulnerability scanning to a contextual, graph-based risk assessment.