Graph Neural Network Based Adaptive Threat Detection for Cloud Identity and Access Management Logs

TL;DR

This paper introduces a Graph Neural Network framework for adaptive, real-time threat detection in cloud IAM logs, effectively capturing complex relational patterns to identify malicious activities.

Contribution

It presents a novel GNN-based approach that models IAM logs as dynamic graphs, enabling real-time, adaptive threat detection in cloud security environments.

Findings

Achieves higher detection precision and recall than baseline models

Demonstrates scalability across multi-tenant cloud environments

Enables proactive mitigation of insider threats and lateral movements

Abstract

The rapid expansion of cloud infrastructures and distributed identity systems has significantly increased the complexity and attack surface of modern enterprises. Traditional rule based or signature driven detection systems are often inadequate in identifying novel or evolving threats within Identity and Access Management logs, where anomalous behavior may appear statistically benign but contextually malicious. This paper presents a Graph Neural Network Based Adaptive Threat Detection framework designed to learn latent user resource interaction patterns from IAM audit trails in real time. By modeling IAM logs as heterogeneous dynamic graphs, the proposed system captures temporal, relational, and contextual dependencies across entities such as users, roles, sessions, and access actions. The model incorporates attention based aggregation and graph embedding updates to enable continual adaptation to changing cloud environments. Experimental evaluation on synthesized and real world IAM datasets demonstrates that the proposed method achieves higher detection precision and recall than baseline LSTM and GCN classifiers, while maintaining scalability across multi tenant cloud environments. The frameworks adaptability enables proactive mitigation of insider threats, privilege escalation, and lateral movement attacks, contributing to the foundation of AI driven zero trust access analytics. This work bridges the gap between graph based machine learning and operational cloud security intelligence.