A Survey of Heterogeneous Graph Neural Networks for Cybersecurity Anomaly Detection

• URL: http://arxiv.org/abs/2510.26307v1
• Date: Thu, 30 Oct 2025 09:49:59 GMT
• Title: A Survey of Heterogeneous Graph Neural Networks for Cybersecurity Anomaly Detection
• Authors: Laura Jiang, Reza Ryan, Qian Li, Nasim Ferdosian,
• Abstract summary: Heterogeneous Graph Neural Networks (HGNNs) have emerged as a promising paradigm for anomaly detection.<n>This survey aims to establish a structured foundation for advancing HGNN-based anomaly detection toward scalable, interpretable, and practically deployable solutions.
• Score: 4.1427901594249255
• License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
• Abstract: Anomaly detection is a critical task in cybersecurity, where identifying insider threats, access violations, and coordinated attacks is essential for ensuring system resilience. Graph-based approaches have become increasingly important for modeling entity interactions, yet most rely on homogeneous and static structures, which limits their ability to capture the heterogeneity and temporal evolution of real-world environments. Heterogeneous Graph Neural Networks (HGNNs) have emerged as a promising paradigm for anomaly detection by incorporating type-aware transformations and relation-sensitive aggregation, enabling more expressive modeling of complex cyber data. However, current research on HGNN-based anomaly detection remains fragmented, with diverse modeling strategies, limited comparative evaluation, and an absence of standardized benchmarks. To address this gap, we provide a comprehensive survey of HGNN-based anomaly detection methods in cybersecurity. We introduce a taxonomy that classifies approaches by anomaly type and graph dynamics, analyze representative models, and map them to key cybersecurity applications. We also review commonly used benchmark datasets and evaluation metrics, highlighting their strengths and limitations. Finally, we identify key open challenges related to modeling, data, and deployment, and outline promising directions for future research. This survey aims to establish a structured foundation for advancing HGNN-based anomaly detection toward scalable, interpretable, and practically deployable solutions.

Related papers

• Graph Neural Network Based Adaptive Threat Detection for Cloud Identity and Access Management Logs [0.0]
  This paper presents a Graph Neural Network Based Adaptive Threat Detection framework.<n>It learns latent user resource interaction patterns from IAM audit trails in real time.
  arXiv  Detail & Related papers  (2025-12-11T04:44:02Z)
• Graph Neural AI with Temporal Dynamics for Comprehensive Anomaly Detection in Microservices [7.957284443727372]
  This study addresses the problem of anomaly detection and root cause tracing in microservice architectures.<n>It proposes a unified framework that combines graph neural networks with temporal modeling.
  arXiv  Detail & Related papers  (2025-11-05T08:28:41Z)
• Attention Augmented GNN RNN-Attention Models for Advanced Cybersecurity Intrusion Detection [0.4369550829556577]
  We propose a novel hybrid deep learning architecture that synergistically combines Graph Neural Networks (GNNs), Recurrent Neural Networks (RNNs) and multi-head attention mechanisms.<n>Our approach effectively captures both spatial dependencies through graph structural relationships and sequential analysis of network events.<n>The integrated attention mechanism provides dual benefits of improved model interpretability and enhanced feature selection, enabling cybersecurity analysts to focus computational resources on high-impact security events.
  arXiv  Detail & Related papers  (2025-10-29T03:47:02Z)
• Anomaly Detection and Generation with Diffusion Models: A Survey [51.61574868316922]
  Anomaly detection (AD) plays a pivotal role across diverse domains, including cybersecurity, finance, healthcare, and industrial manufacturing.<n>Recent advancements in deep learning, specifically diffusion models (DMs), have sparked significant interest.<n>This survey aims to guide researchers and practitioners in leveraging DMs for innovative AD solutions across diverse applications.
  arXiv  Detail & Related papers  (2025-06-11T03:29:18Z)
• Out-of-Distribution Detection on Graphs: A Survey [58.47395497985277]
  Graph out-of-distribution (GOOD) detection focuses on identifying graph data that deviates from the distribution seen during training.<n>We categorize existing methods into four types: enhancement-based, reconstruction-based, information propagation-based, and classification-based approaches.<n>We discuss practical applications and theoretical foundations, highlighting the unique challenges posed by graph data.
  arXiv  Detail & Related papers  (2025-02-12T04:07:12Z)
• xAI-Drop: Don't Use What You Cannot Explain [23.33477769275026]
  Graph Neural Networks (GNNs) have emerged as the predominant paradigm for learning from graph-structured data. GNNs face challenges such as lack of generalization and poor interpretability. We introduce xAI-Drop, a novel topological-level dropping regularizer.
  arXiv  Detail & Related papers  (2024-07-29T14:53:45Z)
• HGAttack: Transferable Heterogeneous Graph Adversarial Attack [63.35560741500611]
  Heterogeneous Graph Neural Networks (HGNNs) are increasingly recognized for their performance in areas like the web and e-commerce. This paper introduces HGAttack, the first dedicated gray box evasion attack method for heterogeneous graphs.
  arXiv  Detail & Related papers  (2024-01-18T12:47:13Z)
• Efficient Network Representation for GNN-based Intrusion Detection [2.321323878201932]
  The last decades have seen a growth in the number of cyber-attacks with severe economic and privacy damages. We propose a novel network representation as a graph of flows that aims to provide relevant topological information for the intrusion detection task. We present a Graph Neural Network (GNN) based framework responsible for exploiting the proposed graph structure.
  arXiv  Detail & Related papers  (2023-09-11T16:10:12Z)
• Leveraging a Probabilistic PCA Model to Understand the Multivariate Statistical Network Monitoring Framework for Network Security Anomaly Detection [64.1680666036655]
  We revisit anomaly detection techniques based on PCA from a probabilistic generative model point of view. We have evaluated the mathematical model using two different datasets.
  arXiv  Detail & Related papers  (2023-02-02T13:41:18Z)
• Self-Supervised and Interpretable Anomaly Detection using Network Transformers [1.0705399532413615]
  This paper introduces the Network Transformer (NeT) model for anomaly detection. NeT incorporates the graph structure of the communication network in order to improve interpretability. The presented approach was tested by evaluating the successful detection of anomalies in an Industrial Control System.
  arXiv  Detail & Related papers  (2022-02-25T22:05:59Z)
• Graph-based Solutions with Residuals for Intrusion Detection: the Modified E-GraphSAGE and E-ResGAT Algorithms [0.0]
  This paper presents two novel graph-based solutions for intrusion detection, the modified E-GraphSAGE, and E-ResGATalgorithms. The key idea is to integrate residual learning into the GNN leveraging the available graph information. An extensive experimental evaluation of four recent intrusion detection datasets shows the excellent performance of our approaches.
  arXiv  Detail & Related papers  (2021-11-26T16:51:37Z)
• Anomaly Detection on Attributed Networks via Contrastive Self-Supervised Learning [50.24174211654775]
  We present a novel contrastive self-supervised learning framework for anomaly detection on attributed networks. Our framework fully exploits the local information from network data by sampling a novel type of contrastive instance pair. A graph neural network-based contrastive learning model is proposed to learn informative embedding from high-dimensional attributes and local structure.
  arXiv  Detail & Related papers  (2021-02-27T03:17:20Z)
• Graph Backdoor [53.70971502299977]
  We present GTA, the first backdoor attack on graph neural networks (GNNs) GTA departs in significant ways: it defines triggers as specific subgraphs, including both topological structures and descriptive features. It can be instantiated for both transductive (e.g., node classification) and inductive (e.g., graph classification) tasks.
  arXiv  Detail & Related papers  (2020-06-21T19:45:30Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.