Graph neural networks for anomaly detection: a systematic review of dynamic temporal approaches

Graph Neural Network (GNN) have recently gained significant attention for their ability to model evolving relationships in graph-structured data, offering new opportunities for anomaly detection in cybersecurity. This Systematic Literature Review (SLR) examines the current state of research on these models applied to cybersecurity-related anomaly detection tasks. We systematically analyze 79 studies to identify key trends, challenges, and opportunities in this emerging field. Our review highlights that while GNN offer unique advantages such as capturing spatiotemporal dependencies and modeling complex cyber-threat patterns, several barriers remain, including scalability issues, limited real-world datasets, and the lack of interpretability in most models. Common architectures such as Graph Convolutional Networks (GCN), Graph Attention Networks (GAT), and hybrid Transformer-based models are identified, along with their applications in intrusion detection, botnet detection, and anomaly detection in industrial control systems. Several studies propose that GNN can overcome current limitations by integrating contrastive learning and adaptive models for real-time threat detection. This review emphasizes the need for scalable, explainable, and deployment-ready solutions to fully realize the potential of dynamic graph models in cybersecurity. Future research should focus on developing scalable and adaptive architectures, integrating improved interpretability mechanisms, and enhancing model robustness through cross-domain validation and real-time applications.