Unmasking Supply Chain Attacks via Application Behaviour
Black Hat USA 2025 · Day 1 · Briefings
Researchers at Netskope Threat Labs spent two years building BEAM (Behavioral Evaluation of Application Metrics), an open-source tool that profiles the network behavior of native desktop applications and flags anomalous traffic indicative of a supply-chain compromise. Trained on 56 billion HTTP transactions from 2,000 organizations, BEAM uses per-application XGBoost models with SHAP explainability to detect when a trusted app — such as Spotify or Box — is communicating with attacker-controlled infrastructure. A red-team/blue-team exercise confirmed it catches real-world attacks with up to 99% confidence. ---
AI review
BEAM addresses a real gap — supply chain compromise detection via behavioral network profiling — and the Spotify red-team exercise with 94% confidence detection is a genuine validation. The XGBoost-per-application architecture with SHAP explainability is the right engineering choice. But 56 billion transactions, 185 features, and an ensemble ML system trained over two years to detect... anomalous HTTP traffic. The limitations section they acknowledge — high-entropy apps, attribution without User-Agent, bespoke model quality — are not minor.