A Survey of Heterogeneous Graph Neural Networks for Cybersecurity Anomaly Detection

TL;DR

This survey reviews heterogeneous graph neural network methods for cybersecurity anomaly detection, analyzing models, datasets, and challenges to guide future research in scalable and interpretable solutions.

Contribution

It provides a comprehensive taxonomy, compares models, reviews datasets, and identifies open challenges in HGNN-based cybersecurity anomaly detection.

Findings

Classifies HGNN approaches by anomaly type and graph dynamics.

Analyzes key cybersecurity applications and datasets.

Highlights challenges and future directions for HGNN research.

Abstract

Anomaly detection is a critical task in cybersecurity, where identifying insider threats, access violations, and coordinated attacks is essential for ensuring system resilience. Graph-based approaches have become increasingly important for modeling entity interactions, yet most rely on homogeneous and static structures, which limits their ability to capture the heterogeneity and temporal evolution of real-world environments. Heterogeneous Graph Neural Networks (HGNNs) have emerged as a promising paradigm for anomaly detection by incorporating type-aware transformations and relation-sensitive aggregation, enabling more expressive modeling of complex cyber data. However, current research on HGNN-based anomaly detection remains fragmented, with diverse modeling strategies, limited comparative evaluation, and an absence of standardized benchmarks. To address this gap, we provide a comprehensive survey of HGNN-based anomaly detection methods in cybersecurity. We introduce a taxonomy that classifies approaches by anomaly type and graph dynamics, analyze representative models, and map them to key cybersecurity applications. We also review commonly used benchmark datasets and evaluation metrics, highlighting their strengths and limitations. Finally, we identify key open challenges related to modeling, data, and deployment, and outline promising directions for future research. This survey aims to establish a structured foundation for advancing HGNN-based anomaly detection toward scalable, interpretable, and practically deployable solutions.