Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

GraphFaaS: Serverless GNN Inference for Burst-Resilient, Real-Time Intrusion Detection

Lingzhi Wang, Vinod Yegneswaran, Xinyi Shi, Ziyu Li, Ashish Gehani, Yan Chen

TL;DR

The paper tackles the challenge of achieving real-time, burst-resilient intrusion detection with graph neural networks by introducing GraphFaaS, a serverless architecture for GNN inference. It decomposes the workflow into provenance-aware graph construction, parallel serverless node embeddings, and scalable serverless GNN inference, including subgraph partitioning with a greedy best-fit strategy and a vertical scaling fallback. Empirical results on the DARPA TC dataset show that GraphFaaS dramatically reduces mean detection latency (approximately 6.7x) and CV (approximately 64%), while maintaining the same detection accuracy as a state-of-the-art baseline. This work demonstrates that serverless design can provide elastic, low-latency GNN inference for provenance-based intrusion detection, enabling timely threat response and potentially lowering operational costs in bursty environments.

Abstract

Provenance-based intrusion detection is an increasingly popular application of graphical machine learning in cybersecurity, where system activities are modeled as provenance graphs to capture causality and correlations among potentially malicious actions. Graph Neural Networks (GNNs) have demonstrated strong performance in this setting. However, traditional statically-provisioned GNN inference architectures fall short in meeting two crucial demands of intrusion detection: (1) maintaining consistently low detection latency, and (2) handling highly irregular and bursty workloads. To holistically address these challenges, we present GraphFaaS, a serverless architecture tailored for GNN-based intrusion detection. GraphFaaS leverages the elasticity and agility of serverless computing to dynamically scale the GNN inference pipeline. We parallelize and adapt GNN workflows to a serverless environment, ensuring that the system can respond in real time to fluctuating workloads. By decoupling compute resources from static provisioning, GraphFaaS delivers stable inference latency, which is critical for dependable intrusion detection and timely incident response in cybersecurity operations. Preliminary evaluation shows GraphFaaS reduces average detection latency by 85% and coefficient of variation (CV) by 64% compared to the baseline.

GraphFaaS: Serverless GNN Inference for Burst-Resilient, Real-Time Intrusion Detection

TL;DR

The paper tackles the challenge of achieving real-time, burst-resilient intrusion detection with graph neural networks by introducing GraphFaaS, a serverless architecture for GNN inference. It decomposes the workflow into provenance-aware graph construction, parallel serverless node embeddings, and scalable serverless GNN inference, including subgraph partitioning with a greedy best-fit strategy and a vertical scaling fallback. Empirical results on the DARPA TC dataset show that GraphFaaS dramatically reduces mean detection latency (approximately 6.7x) and CV (approximately 64%), while maintaining the same detection accuracy as a state-of-the-art baseline. This work demonstrates that serverless design can provide elastic, low-latency GNN inference for provenance-based intrusion detection, enabling timely threat response and potentially lowering operational costs in bursty environments.

Abstract

Provenance-based intrusion detection is an increasingly popular application of graphical machine learning in cybersecurity, where system activities are modeled as provenance graphs to capture causality and correlations among potentially malicious actions. Graph Neural Networks (GNNs) have demonstrated strong performance in this setting. However, traditional statically-provisioned GNN inference architectures fall short in meeting two crucial demands of intrusion detection: (1) maintaining consistently low detection latency, and (2) handling highly irregular and bursty workloads. To holistically address these challenges, we present GraphFaaS, a serverless architecture tailored for GNN-based intrusion detection. GraphFaaS leverages the elasticity and agility of serverless computing to dynamically scale the GNN inference pipeline. We parallelize and adapt GNN workflows to a serverless environment, ensuring that the system can respond in real time to fluctuating workloads. By decoupling compute resources from static provisioning, GraphFaaS delivers stable inference latency, which is critical for dependable intrusion detection and timely incident response in cybersecurity operations. Preliminary evaluation shows GraphFaaS reduces average detection latency by 85% and coefficient of variation (CV) by 64% compared to the baseline.

Paper Structure

This paper contains 7 sections, 1 equation, 3 figures, 1 algorithm.

Table of Contents

  1. Introduction
  2. Background and Related Work
  3. Typical Detection Workflow of GNN-based PIDS
  4. Serverless GNN-based Intrusion Detection Architecture
  5. Preliminary Results
  6. Conclusion and Future Work
  7. Algorithm for Subgraph Partition & Packing

Figures (3)

  • Figure 1: Fluctuations in detection workload over time in the DARPA TC dataset noauthor_transparent_nodate
  • Figure 2: Overview of GraphFaaS Framework with three components: (i) graph construction, (ii) serverless node-level embedding, and (iii) serverless GNN inference.
  • Figure 3: Detection latency over time. GraphFaaS: mean = 2.10, STD (standard deviation) = 1.09, CV (coefficient of variation) = 0.52; Baseline: mean = 14.16, STD = 4498.92, CV = 1.46.