Papers
Topics
Authors
Recent
Search
2000 character limit reached

GraphFaaS: Serverless GNN Inference for Burst-Resilient, Real-Time Intrusion Detection

Published 13 Nov 2025 in cs.CR | (2511.10554v1)

Abstract: Provenance-based intrusion detection is an increasingly popular application of graphical machine learning in cybersecurity, where system activities are modeled as provenance graphs to capture causality and correlations among potentially malicious actions. Graph Neural Networks (GNNs) have demonstrated strong performance in this setting. However, traditional statically-provisioned GNN inference architectures fall short in meeting two crucial demands of intrusion detection: (1) maintaining consistently low detection latency, and (2) handling highly irregular and bursty workloads. To holistically address these challenges, we present GraphFaaS, a serverless architecture tailored for GNN-based intrusion detection. GraphFaaS leverages the elasticity and agility of serverless computing to dynamically scale the GNN inference pipeline. We parallelize and adapt GNN workflows to a serverless environment, ensuring that the system can respond in real time to fluctuating workloads. By decoupling compute resources from static provisioning, GraphFaaS delivers stable inference latency, which is critical for dependable intrusion detection and timely incident response in cybersecurity operations. Preliminary evaluation shows GraphFaaS reduces average detection latency by 85% and coefficient of variation (CV) by 64% compared to the baseline.

Summary

  • The paper demonstrates a serverless GNN inference framework that reduces average detection latency by 85% (2.10s vs. 14.16s) while maintaining high accuracy.
  • The paper introduces dynamic partitioning and parallel processing techniques to handle bursty workloads and optimize resource scaling in cybersecurity.
  • The paper empirically validates GraphFaaS on the DARPA dataset, achieving stable, low-latency performance with a 64% reduction in latency variability.

Serverless Graph Neural Network Inference for Intrusion Detection: The GraphFaaS Architecture

Motivation and Problem Setting

Graph-based intrusion detection is a critical paradigm in cybersecurity, leveraging provenance graphs to capture the temporal and causal structure of system activities and malicious behavior. Recent advances in Graph Neural Networks (GNNs) have shown strong performance for provenance-based intrusion detection systems (PIDS), enabling more context-aware detection by modeling complex relationships. Despite their promise, current static GNN inference architectures encounter two key bottlenecks: (1) achieving consistently low detection latency, and (2) handling bursty, irregular workloads, typical of real-world security environments. These limitations can lead to either unacceptable detection delays or wasteful resource overprovisioning.

GraphFaaS introduces a serverless inference architecture for real-time, burst-resilient intrusion detection on provenance graphs. By elastically scaling compute resources and adapting core GNN workflows to serverless paradigms, GraphFaaS delivers stable, low-latency inference irrespective of fluctuating workload intensity. This is especially critical for time-sensitive threat response in operational cybersecurity.

Framework Architecture

GraphFaaS consists of three principal components: (i) provenance-aware graph construction, (ii) serverless node embedding, and (iii) serverless GNN inference. The architecture is designed to parallelize feature extraction and inference stages, leveraging automatic scaling to match demand in highly dynamic environments. Figure 1

Figure 1: Overview of the GraphFaaS framework illustrating parallel pipeline stages for graph construction, node embedding, and GNN inference in a serverless context.

1. Provenance-aware Graph Construction

System behavior originates from audit log streams, which are incrementally transformed into provenance graphs where nodes correspond to system entities (processes, files, sockets), and edges encode their interactions. Rather than reconstructing the entire graph for each detection interval, GraphFaaS applies temporal and structural locality filters: only the 2K-hop neighborhood around active nodes (where K is the GNN depth) is processed, and infrequently observed edges/nodes are prioritized to efficiently isolate anomalous subgraphs.

2. Serverless Node-level Embedding

Node attributes, predominantly textual (process names, file paths, IPs), are embedded into numerical vectors, serving as GNN input features. The serverless model decomposes featurization into parallel execution units sized by feature length, maintaining per-unit latency under pre-defined thresholds. Automatic scaling provisions compute to match incoming workload volume, ensuring consistent latency under bursty or idle conditions. This design mitigates the tail latency risks of conventional approaches.

3. Serverless GNN Inference

Message passing and aggregation within GNNs is orchestrated over partitioned subgraphs. To balance workloads and control computational resource usage, GraphFaaS introduces a greedy best-fit partitioning algorithm that minimizes the number of subgraphs subject to K-hop neighborhood size thresholds. If dependency explosion creates super-nodes exceeding these bounds, vertical scaling (enlarging CPU/memory per function) is used in lieu of further partitioning. The inference pipeline is fully parallelized and can elastically utilize cloud resources for demanding tasks without static overprovisioning.

Empirical Evaluation

GraphFaaS was implemented atop the OpenFaaS serverless platform and benchmarked against Flash, a state-of-the-art PIDS with similar detection models, on the DARPA TC Engagement 3 dataset (11 days, multiple attack campaigns). Detection accuracy is held constant between both systems, isolating architectural and runtime differences.

GraphFaaS delivers superior performance in latency and burst resilience: Figure 2

Figure 2: Detection latency distributions of GraphFaaS (mean = 2.10s, CV = 0.52) vs. baseline (mean = 14.16s, CV = 1.46), illustrating low and stable latency under bursty workloads.

  • Average detection latency reduced by 85% (2.10s vs. 14.16s)
  • Coefficient of variation reduced by 64%, indicating significantly improved stability
  • Latency spikes, even under burst traffic, never exceeded 10 seconds
  • Equivalence in detection accuracy compared to baseline

These results highlight the practical benefit of dynamic resource scaling for real-time intrusion detection.

Theoretical and Practical Implications

GraphFaaS demonstrates that serverless architectures can overcome key limitations of static graph ML deployments for cybersecurity. The model supports fine-grained decomposition and parallelization of GNN inference, tailored to highly irregular detection workloads. The adaptive partitioning approach ensures efficient utilization of cloud resources while controlling tail latency, which is critical for incident response pipelines in enterprise networks.

Theoretically, this architecture suggests new research avenues in distributed graph ML, specifically in node-centric parallelization, event-driven function orchestration, and dynamic adjustment of GNN model depth based on real-time graph topology characteristics.

Practical implications include cost-effective and scalable deployment of PIDS in cloud-managed infrastructure, reducing overprovisioning and underutilization, while guaranteeing stable threat detection latencies.

Future Directions

Open challenges include addressing dynamic dependence explosion in provenance graphs, where super-nodes form major latency bottlenecks. Dynamic adjustment of GNN depth and function invocation strategies will be necessary to efficiently capture long-range dependencies under real-time constraints. Expanding the evaluation of GraphFaaS to broader classes of PIDS and diverse graph characteristics will be essential for generalizability. Integrating serverless GNN training and incorporating adaptive graph pruning could further enhance resource efficiency and responsiveness.

Conclusion

GraphFaaS sets a strong precedent for the application of serverless computing patterns in GNN-based provenance analysis for cybersecurity. It achieves high stability and low latency under adversarial, bursty conditions without sacrificing detection effectiveness. The approach offers a structured pathway for scalable, responsive, and cost-efficient deployment of graph-based ML systems in operational security.

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We found no open problems mentioned in this paper.

Collections

Sign up for free to add this paper to one or more collections.