Enhance Graph-Based Intrusion Detection in Optical Networks via Pseudo-Metapaths

Abstract

Deep learning on graphs has emerged as a leading paradigm for intrusion detection, yet its performance in optical networks is often hindered by sparse labeled data and severe class imbalance, leading to an “under-reaching” issue where supervision signals fail to propagate effectively. To address this, we introduce Pseudo-Metapaths: dynamic, semantically aware propagation routes discovered on-the-fly. Our framework first leverages Beta-Wavelet spectral filters for robust, frequency-aware node representations. It then transforms the graph into a dynamic heterogeneous structure using the model’s own pseudo-labels to define transient ‘normal’ or ‘anomaly’ node types. This enables an attention mechanism to learn the importance of different Pseudo-Metapaths (e.g., Anomaly–Normal–Anomaly), guiding supervision signals along the most informative routes. Extensive experiments on four benchmark datasets demonstrate quantitative superiority. Our model achieves state-of-the-art F1-scores, outperforming a strong spectral GNN backbone by up to 3.15%. Ablation studies further confirm that our Pseudo-Metapath module is critical, as its removal causes F1-scores to drop by as much as 7.12%, directly validating its effectiveness against the under-reaching problem.

1. Introduction

Modern global communications fundamentally depend on optical networks, which provide the high-capacity, long-haul infrastructure necessary to sustain today’s exponentially growing data demands [1,2,3,4]. Their continued advancement is not merely a technological imperative but a societal one, as they enable essential services—from broadband internet to the operation of national critical systems [5,6,7]. Yet, as these networks grow more intricate and indispensable, their role in transmitting sensitive, high-stakes information makes them prime targets for advanced cyber threats [8,9,10]. Attack vectors now extend beyond traditional service outages to include insidious physical-layer intrusions, jeopardizing both network reliability and broader security interests [10,11]. Consequently, fortifying the resilience and security of optical infrastructure against such adaptive—and often covert—adversarial tactics has emerged as a paramount challenge [11].

We select optical networks as the focal point of this study precisely because they create a “perfect storm” of challenges for intrusion detection, making them an ideal proving ground for advanced graph-based methods. Firstly, the high-stakes and critical nature of optical infrastructure demands extremely high reliability, meaning that successful intrusions are, by design, extremely rare events. This operational reality directly translates into datasets with severe class imbalance and sparse labels—the very conditions that cripple standard supervised learning models. Secondly, the sheer volume and speed of data transmission make traditional deep packet inspection infeasible, shifting the focus to relational and behavioral patterns among network devices. This naturally motivates modeling the system as a graph, where subtle, coordinated malicious activities can be identified. Therefore, fortifying optical networks necessitates a paradigm that can effectively learn from sparse, imbalanced relational data and propagate supervisory signals across vast topologies, which is the central challenge we address.

Recently, graph-based deep learning has become a compelling paradigm for intrusion detection. Communication systems can be naturally modeled as graphs where nodes represent network devices and edges capture traffic flows, control-plane associations, or physical-layer couplings. Graph Neural Networks (GNNs) excel at learning from such relational data, enabling context-aware detection that surpasses methods based on isolated features [12,13]. However, directly applying GNNs to real-world optical networks reveals critical limitations. The core challenge stems from the intersection of severe label sparsity—anomalies are inherently rare and expensive to annotate—and the need for supervision signals to propagate across vast, complex topologies [14].

This leads to a critical bottleneck we formalize as under-reaching: supervision signals from the few labeled nodes fail to effectively influence the predictions of distant, unlabeled nodes that may be semantically related. This issue is exacerbated by two intertwined phenomena. First, deep message-passing GNNs are hampered by over-smoothing and over-squashing, which respectively dilute discriminative features and create informational bottlenecks that prevent long-range signal transmission [15,16,17,18,19]. Second, intrusion patterns in optical networks frequently violate the homophily assumption [20,21], as malicious nodes often connect to predominantly benign neighborhoods. This heterophilous nature blunts the effectiveness of standard GNNs, which are optimized for homophilous connections [22,23,24].

Existing remedies address parts of this problem but are insufficient in isolation. Post hoc label propagation can improve local consistency but falters under the severe label scarcity [25,26]. Self-training with pseudo-labels amplifies supervision but risks propagating confirmation bias, especially under strong class imbalance [27,28,29,30]. On the representation side, spectral methods are adept at capturing high-frequency anomaly signatures but lack a mechanism to guide supervision along meaningful multi-hop routes [31,32]. Finally, while heterogeneous GNNs elegantly handle relational semantics, they require a predefined schema, which is absent in this dynamically evolving problem [33,34]. A unified framework that captures anomaly-specific signals while simultaneously learning where to propagate them remains a critical gap.

We address this gap by introducing Pseudo-Metapaths: dynamic, semantically aware propagation routes discovered on-the-fly. Our framework begins by using Beta-Wavelet spectral filtering to extract high-frequency components indicative of anomalies, producing robust initial node embeddings that are resilient to heterophily and local noise. The core of our innovation lies in then transforming the graph into a transiently heterogeneous structure. At each training epoch, we assign temporary “normal” or “anomaly” types to nodes using the model’s own pseudo-labels. This transformation enables an attention mechanism to automatically learn which Pseudo-Metapaths (e.g., ‘Anomaly–Normal–Anomaly‘) are most effective for conveying supervisory signals. By coupling high-frequency spectral cues with dynamic metapath attention, our framework delivers label information across semantically promising—not merely topologically adjacent—regions of the network, directly combating the under-reaching problem.

Our contributions are threefold:

• We introduce a formalization of the under-reaching problem for intrusion detection in optical networks, identifying its roots in the interplay of label sparsity, class imbalance, and network heterophily.
• We propose the concept of Pseudo-Metapaths—a novel mechanism to learn dynamic, pseudo-label-conditioned propagation channels. We integrate this into a framework with Beta-Wavelet filtering to both capture and intelligently route anomaly signals.
• We provide extensive empirical validation demonstrating that our method consistently outperforms remarkable GNNs and specialized graph anomaly detection techniques, showcasing superior robustness and long-range supervision propagation.

2. Background

Optical networks inherently exhibit a graph structure, where network devices can be naturally represented as nodes and their interconnections as edges. This structural correspondence makes Graph Neural Networks (GNNs) a compelling choice for intrusion detection, as they leverage message passing to capture relational dependencies that are invisible to traditional, feature-based models [12]. By aggregating information from local neighborhoods, GNNs learn contextualized representations that reflect both node attributes and topological context. This formulation situates the problem within the broader field of graph anomaly detection (GAD), which aims to identify nodes, edges, or subgraphs that deviate significantly from expected behavioral or structural patterns [31]. At its core, GAD relies on the principle that anomalies manifest as statistical or structural outliers in the graph [35].

However, applying this paradigm to intrusion detection in optical networks introduces significant practical challenges. Unlike typical GAD settings, security-related anomalies in optical infrastructures are not only rare and difficult to label but also exhibit complex, non-localized patterns that strain the assumptions and mechanisms of standard GNNs. Two interdependent issues stand out: the heterophilous nature of malicious activity and the limited capacity of GNNs to propagate supervision effectively across sparse and unbalanced graphs.

One major challenge is heterophily, where malicious nodes frequently reside in neighborhoods dominated by benign entities [35]. This contradicts the homophily bias embedded in most conventional GNN architectures, which assume that connected nodes are likely to share similar labels or features. As a result, these models tend to average out anomalous signals during neighborhood aggregation, leading to the suppression or complete loss of critical evidence [22]. In such scenarios, anomalies become harder to distinguish.

To mitigate this limitation, recent research has increasingly turned to spectral graph theory. Wavelet-based frameworks offer a powerful means to isolate specific frequency components of graph signals, thereby amplifying high-frequency patterns that are often indicative of anomalous behavior [24,36]. Several state-of-the-art methods have built upon this principle [37]. For example, BWGNN [38] employs Beta kernels to construct adaptive, localized band-pass filters specifically tuned for high-frequency anomalies. AMNet [39] integrates signals across multiple frequency bands to enrich node representations, while BernNet [40] leverages Bernstein polynomials to achieve more expressive and flexible spectral filtering. Although these approaches excel at capturing the spectral signatures of anomalies, they do not inherently address the challenge of propagating such discriminative information effectively across the graph, especially when supervision is limited to only a few labeled nodes.

Another remaining core bottleneck rooted in the GNN’s message-passing mechanism itself. Constrained to propagate information strictly along the graph’s explicit edges, standard GNNs are prone to over-smoothing, where node representations become indistinguishable after multiple hops, and over-squashing, where rich signals are compressed through narrow structural bottlenecks [17,18,41]. The consequences of these propagation issues are significantly exacerbated in domains such as intrusion detection, which suffer from sparse labels and severe class imbalance. In such challenging settings, this confluence of factors gives rise to what we term the under-reaching problem: supervision signals from the few labeled anomalies are too attenuated to effectively influence distant yet semantically relevant nodes [42,43]. Given the topological sparsity of malicious entities, critical discriminative cues must often traverse long, multi-hop paths, a task for which conventional message passing is fundamentally ill-suited, which is the central concern of this paper.

3. Preliminary

In this section, we introduce some necessary concepts used in this paper.

3.1. Heterogeneous Graph and Metapath

Much real-world data can be effectively represented as Heterogeneous Graphs (HeteGs). In contrast to homogeneous graphs, HeteGs encompass multiple types of nodes and edges, each conveying rich information and forming a complex topological structure. Motivated by the need to analyze such data, various well-performing Heterogeneous Graph Neural Networks (HeteGNNs) have been proposed [44,45]. HeteGNNs often adopt a metapath-centric framework to integrate the diverse attributes inherent in HeteGs. The core concept involves utilizing metapaths to semantically aggregate nodes that are distantly located from each other [44]. For example, as shown in Figure 1, with the metapath paper-author-paper, paper-typed node-P0 and {P4,5,6} can be viewed as neighbors directly while ignoring author-typed node-A2. Unlike traditional GNNs, which directly aggregate messages from adjacent nodes, most HeteGNNs employ a concept known as metapaths.

3.2. Spectral Graph Processing

By treating the features on nodes as signals, regarding the smoothness of the signals as frequency, and associating it with the eigenvalues of the graph’s Laplacian matrix, spectral graph methods provide an alternative but effective aspect for graph data processing distinct from the topological domain [46,47].

An undirected and unweighted graph comprising N vertices can be formally described as $G=(V,E)$. When we consider the features associated with each node, we denote the graph as $\mathcal{G}=(\mathcal{V},\mathcal{E},X)$, where X represents the node feature matrix. This distinction allows us to first discuss the topological properties and subsequently incorporate the node-level signal information required for our spectral analysis and GNN model, with V representing the set of vertices and E the collection of edges. The structure is encoded in the adjacency matrix $A\in {\mathbb{R}}^{N\times N}$. To analyze graph signals spectrally, we utilize the Laplacian matrix defined as $L=D-A$, where the diagonal matrix D has entries $D_{ii}={\sum }_j{A}_{ij}$. Given that L exhibits real, symmetric, and positive semi-definite properties, it can be factorized as $L=U\Lambda U^{\top }$. Here, U encompasses the eigenvectors while $\Lambda =\mathrm{diag}({\lambda }_1,\dots ,{\lambda }_N)$ represents eigenvalues arranged in ascending order ($0={\lambda }_1\le \dots \le {\lambda }_N$). The eigenvectors contained in U constitute the Graph Fourier Basis, with eigenvalues corresponding to graph frequencies [48].

For a signal $\mathit{x}\in {\mathbb{R}}^N$ defined on the graph, its smoothness metric is expressed by Equation (1):

$${\mathit{x}}^{\top }L\mathit{x}=\sum _{(i,j)\in \mathcal{E}}{({\mathit{x}}_i-{\mathit{x}}_j)}^2=\sum _{k=1}^N{\lambda }_k{\widehat{\mathit{x}}}_k^2,$$

(1)

with $\widehat{\mathit{x}}=U^{\top }\mathit{x}$. This formulation reveals that signal components associated with smaller eigenvalues exhibit smoother (lower-frequency) variations across the graph, whereas those linked to larger eigenvalues manifest higher-frequency fluctuations. The Graph Fourier Transform (GFT) facilitates spectral processing through $\tilde{\mathit{x}}=U\varphi (\Lambda )U^{\top }\mathit{x}$, where $\varphi$ functions as a component-wise filter in the spectral domain.

3.3. Graph Spectral Wavelet and Its Chebyshev Approximation

The Graph Wavelet Transform is constructed from two fundamental elements: a scaling function and a set of wavelet kernels. For any given scale $s\in \{1,2,\dots ,S\}$, the wavelet kernel is formulated as an operator $g_s\left(L\right)=U{g}_s(\Lambda )U^{\top }$, and similarly, the scaling function is defined as the operator $g_{\varphi }\left(L\right)=U{g}_{\varphi }(\Lambda )U^{\top }$.

Direct computation of these transforms is often impractical for large graphs due to the high computational cost of eigen-decomposition, which scales cubically with the number of nodes ($O\left(N^3\right)$). To circumvent this bottleneck, a common strategy is to employ Chebyshev polynomial expansion to approximate the operators $g_s\left(L\right)$ and $g_{\varphi }\left(L\right)$. A prerequisite for applying Chebyshev approximation to a function $f\left(x\right)$ is that its input domain must be confined to the interval $[-1,1]$. To meet this requirement, it is advantageous to utilize the normalized graph Laplacian, which is defined as

$$\widehat{L}=I-D^{-{\displaystyle \frac{1}{2}}}A{D}^{-{\displaystyle \frac{1}{2}}},$$

(2)

where D represents the diagonal degree matrix ($D_{ii}={\sum }_j{A}_{i,j}$) and A is the adjacency matrix. The eigenvalues of this normalized Laplacian $\widehat{L}$ are guaranteed to fall within the range $[0,2]$, a property that facilitates the necessary rescaling for the approximation of $g_s$ and $g_{\varphi }$. For the remainder of this paper, unless otherwise specified, the eigen-decomposition $U\Lambda U^T$ will refer to that of the normalized Laplacian $\widehat{L}$

Both the wavelet kernels $g_s\left(\widehat{L}\right)$ and the scaling function $g_{\varphi }\left(\widehat{L}\right)$ can be approximated using this polynomial expansion. For notational convenience, we can consolidate these operators into a single matrix:

$$W={[g_{\varphi }{\left(\widehat{L}\right)}^{\top },g_1{\left(\widehat{L}\right)}^{\top },g_2{\left(\widehat{L}\right)}^{\top },\dots ,g_S{\left(\widehat{L}\right)}^{\top }]}^{\top }.$$

(3)

As established in [36], these approximations, denoted as ${\tilde{g}}_{\varphi }$ and ${\tilde{g}}_s$, are formulated using a truncated Chebyshev series of order Z:

$${\tilde{g}}_{\varphi }\left(\widehat{L}\right)={\displaystyle \frac{1}{2}}{c}_{0,0}+\sum _{z=1}^Z{c}_{0,z}{T}_z\left(\widehat{L}\right);{\tilde{g}}_s\left(\widehat{L}\right)={\displaystyle \frac{1}{2}}{c}_{s,0}+\sum _{z=1}^Z{c}_{s,z}{T}_z\left(\widehat{L}\right),$$

(4)

where $T_z\left(\widehat{L}\right)$ represents the z-th order Chebyshev polynomial evaluated at the normalized Laplacian $\widehat{L}$. These polynomials are generated via the recurrence relation:

$$T_z\left(\widehat{L}\right)=2\left({\displaystyle \frac{2}{{\lambda }_{max}}}\widehat{L}-I\right)T_{z-1}\left(\widehat{L}\right)-T_{z-2}\left(\widehat{L}\right),$$

(5)

with initial conditions $T_0\left(\widehat{L}\right)=I$ and $T_1\left(\widehat{L}\right)={\displaystyle \frac{2}{{\lambda }_{max}}}\widehat{L}-I$. The corresponding Chebyshev coefficients, $c_{0,z}$ and $c_{s,z}$, are determined by the following integrals:

$$c_{0,z}={\displaystyle \frac{2}{\pi }}{\int }_0^{\pi }cos\left(z\theta \right)g_{\varphi }\left({\displaystyle \frac{{\lambda }_{max}(cos\theta +1)}{2}}\right)d\theta ,$$

(6)

$$c_{s,z}={\displaystyle \frac{2}{\pi }}{\int }_0^{\pi }cos\left(z\theta \right)g_s\left({\displaystyle \frac{{\lambda }_{max}(cos\theta +1)}{2}}\right)d\theta .$$

(7)

The resulting approximated transform operator can be written as

$$\tilde{W}={[{\tilde{g}}_{\varphi }{\left(\widehat{L}\right)}^{\top },{\tilde{g}}_1{\left(\widehat{L}\right)}^{\top },{\tilde{g}}_2{\left(\widehat{L}\right)}^{\top },\dots ,{\tilde{g}}_S{\left(\widehat{L}\right)}^{\top }]}^{\top }.$$

(8)

An important property of this transform is the Parseval tight frame condition, which is met if $g_{\varphi }{\left(\lambda \right)}^2+{\sum }_{s=1}^S{g}_s{\left(\lambda \right)}^2=1$ for all eigenvalues $\lambda \in \Lambda$. When this condition holds, the transform is energy-preserving. This is typically realized by carefully choosing kernel functions, such as those from the Meyer or Mexican hat families. In cases where the tight frame property is not satisfied, signal reconstruction requires the Moore–Penrose pseudoinverse of the operator, ${\tilde{W}}^{+}$, which is calculated as

$${\tilde{W}}^{+}={\left({\tilde{W}}^{\top }\tilde{W}\right)}^{-1}{\tilde{W}}^{\top },$$

(9)

Consequently, for a given signal $\mathit{x}\in {\mathbb{R}}^N$ on the graph, its wavelet coefficients are $\mathit{c}=\tilde{W}\mathit{x}$, and the signal can be reconstructed via the inverse transform:

$$\tilde{\mathit{x}}={\tilde{W}}^{+}\mathit{c},$$

(10)

where the operator $\tilde{W}$ has dimensions ${\mathbb{R}}^{(S+1)N\times N}$, while its pseudoinverse ${\tilde{W}}^{+}$ has dimensions ${\mathbb{R}}^{N\times (S+1)N}$, with N representing the total number of graph nodes.

The primary advantage of the Chebyshev approximation lies in its computational efficiency. For a graph comprising N nodes and E edges, a Z-order polynomial approximation requires a series of matrix-vector multiplications involving the sparse Laplacian matrix. This process has a computational cost of $O(Z·E)$. Given that Z is a small constant (typically between 10 and 50) that does not depend on the graph size N, and for sparse graphs where E is often proportional to N, the overall complexity is nearly linear. This makes the method significantly more scalable and tractable for large-scale graphs than the computationally prohibitive $O\left(N^3\right)$ complexity associated with direct eigen-decomposition.

It is important to acknowledge that the explicit computation of the graph Laplacian’s eigen-decomposition has a theoretical complexity of $O\left(N^3\right)$, which can be prohibitive for very large graphs. However, for the small-to-medium-scale datasets considered in our experiments (where the number of nodes $N<5000$), this direct spectral approach remains computationally feasible. Thanks to modern hardware acceleration, particularly CUDA-enabled GPUs such as the NVIDIA H800, the practical execution time for this operation is well within an acceptable range for typical research workflows. Therefore, we adopt the direct eigen-decomposition method in our current framework for its precision. The exploration of approximation techniques to enhance scalability for larger graphs, such as the Chebyshev polynomial expansion, is deferred as a direction for future work.

3.4. Spectral Properties of Anomaly Signals: Anomalies as High-Frequency Components

A foundational challenge in applying GNNs to anomaly detection is that many conventional architectures, such as GCN, implicitly function as low-pass filters. By design, they smooth signals across neighborhoods, which is effective under the homophily assumption but counterproductive for anomaly detection. Anomalies, by definition, represent significant deviations from the norm, introducing sharp, localized changes into the graph signal. These abrupt variations are fundamentally high-frequency phenomena. The seminal work by Tang et al. [38] provides a rigorous spectral analysis of this behavior, mathematically proving a key characteristic: the presence of anomalies causes the signal’s spectral energy to concentrate in the high-frequency domain. To understand this, we delve into their theoretical framework. To formalize the analysis, given an unweighted, undirected homogeneous graph, we assume its node features (the signal) $\mathit{x}\in {\mathbb{R}}^N$ are drawn from a multivariate Gaussian distribution:

$$\mathit{x}\sim \mathcal{N}(\mu {\mathit{e}}_N,{\sigma }^2{I}_N),$$

(11)

where $\mu {\mathit{e}}_N$ is the mean vector (with ${\mathit{e}}_N$ being an all-ones vector) and ${\sigma }^2$ is the variance. In this model, the degree of anomaly is quantified by the coefficient of variation, $\sigma /\left|\mu \right|$. A larger variance $\sigma$ or a smaller absolute mean $\left|\mu \right|$ signifies greater deviation among node features, thus representing a more pronounced anomalous state in the overall graph signal.

3.4.1. Signal Analysis in the Spectral Domain

The analysis transitions from the spatial domain to the spectral domain via the Graph Fourier Transform (GFT), $\widehat{\mathit{x}}=U^{\top }\mathit{x}$. Due to the rotational invariance of the Gaussian distribution, the transformed signal $\widehat{\mathit{x}}$ is also Gaussian: $\widehat{\mathit{x}}\sim \mathcal{N}(\mu U^{\top }{\mathit{e}}_N,{\sigma }^2{I}_N)$.

A crucial insight lies in the structure of $U^{\top }{\mathit{e}}_N$. For a connected, undirected graph, the all-ones vector ${\mathit{e}}_N$ is the eigenvector corresponding to the smallest eigenvalue ${\lambda }_1=0$. Consequently, the vector $U^{\top }{\mathit{e}}_N$ is non-zero only at its first component, i.e., $U^{\top }{\mathit{e}}_N={[\sqrt{N},0,\dots ,0]}^{\top }$. This implies that the distributions of the spectral coefficients are not identical:

• The first spectral coefficient (the DC component) follows a non-central distribution: ${\widehat{x}}_1\sim \mathcal{N}(\mu \sqrt{N},{\sigma }^2)$.
• All other coefficients (the AC components) are centered at zero: ${\widehat{x}}_i\sim \mathcal{N}(0,{\sigma }^2)$ for $i=2,\dots ,N$.

This decomposition is key: the signal’s mean primarily influences the lowest frequency, while its variance—and thus, its anomalous nature—is captured by the higher frequencies.

3.4.2. Mathematical Proof of Increased High-Frequency Energy

To quantify how energy is distributed across frequencies, Tang et al. [38] introduce the low-frequency energy ratio:

$${\eta }_k(\mathit{x},L)={\displaystyle \frac{{\sum }_{i=1}^k{\widehat{x}}_i^2}{{\sum }_{i=1}^N{\widehat{x}}_i^2}},$$

(12)

which measures the proportion of signal energy within the first k lowest frequencies. The goal is to show that as the anomaly degree $\sigma /\left|\mu \right|$ increases, ${\eta }_k(\mathit{x},L)$ decreases.

To achieve this, the Proposition 2 in [38] demonstrates that the expected inverse of this ratio, ${\mathbb{E}}_{\mathit{x}}[1/{\eta }_k(\mathit{x},L)]$, is monotonically increasing with the anomaly degree $\sigma /\left|\mu \right|$. The logic is as follows: the term ${\mathbb{E}}_{\mathit{x}}[1/{\eta }_k(\mathit{x},L)]-1$ can be expressed as $\mathbb{E}\left[{\displaystyle \frac{{\sum }_{i=k+1}^N{\widehat{x}}_i^2}{{\sum }_{i=1}^k{\widehat{x}}_i^2}}\right]$. By normalizing with $\sigma$ and letting $z_i={\widehat{x}}_i/\sigma$, we have $z_1\sim \mathcal{N}({\displaystyle \frac{\mu \sqrt{N}}{\sigma }},1)$ and $z_i\sim \mathcal{N}(0,1)$ for $i>1$. The expectation becomes dependent on the term $\mathbb{E}\left[{\displaystyle \frac{{\sum }_{i=k+1}^N{z}_i^2}{z_1^2+{\sum }_{i=2}^k{z}_i^2}}\right]$. The sum ${\sum }_{i=2}^k{z}_i^2$ follows a central chi-squared distribution, but $z_1^2$ follows a non-central chi-squared distribution whose non-centrality parameter is related to ${\left({\displaystyle \frac{\mu \sqrt{N}}{\sigma }}\right)}^2$. The core of the proof is realizing that as the anomaly degree $\sigma /\left|\mu \right|$ increases, the non-centrality parameter for $z_1^2$ decreases. This reduces the expected value of $z_1^2$. A smaller denominator $\mathbb{E}[z_1^2+{\sum }_{i=2}^k{z}_i^2]$ leads to a larger value for the entire expectation ${\mathbb{E}}_{\mathit{x}}[1/{\eta }_k(\mathit{x},L)]$.

This chain of reasoning mathematically confirms that a higher degree of anomaly leads to a smaller proportion of energy in the low-frequency spectrum. Since the low-frequency and high-frequency energy components must add up to the total signal energy, a decrease in the proportion of low-frequency energy directly implies a corresponding increase in the proportion of high-frequency energy. This provides a strong theoretical justification for our approach: to effectively detect intrusions, it is not just beneficial but necessary to employ a mechanism capable of capturing these high-frequency spectral signatures. This motivates our choice of the Beta-Wavelet module, which is explicitly designed as a set of learnable band-pass filters, making it exceptionally well-suited to isolate the discriminative high-frequency components that characterize anomalous activities.

Discussion

To further justify our spectral approach, we contrast it with methods that rely on purely topological features. The key distinction lies in the nature of the anomalies we aim to detect: they manifest as high-frequency signals rather than distinctive topological structures. Consequently, a purely structural approach, such as one based on graph domination, would fail in two key scenarios:

• Camouflaged Anomalies: A node with a highly anomalous feature vector (a large deviation in its signal, leading to a large ${\mathit{x}}^{\top }L\mathit{x}$) could be located in a structurally unremarkable part of the graph (e.g., low centrality, not part of a minimal dominating set). A structural method would miss it, whereas spectral filtering is designed to detect such high-frequency variations.
• Structural Outliers with Normal Behavior: A node could be a structural outlier (e.g., a bridge node, high centrality) but exhibit perfectly normal features. Its signal ${\mathit{x}}_v$ would be similar to its neighbors, resulting in a low ${\mathit{x}}^{\top }L\mathit{x}$. A structural parameter might flag it as important or suspicious, while spectral analysis would correctly identify its signal as low-frequency (smooth) and thus non-anomalous.

Therefore, while structural parameters are valuable for understanding graph topology, they are mathematically ill-equipped to detect anomalies defined by signal characteristics. The spectral approach, by its very formulation, is designed to analyze this crucial signal-structure relationship, making it the more appropriate and powerful choice for our task.

4. Methodology

Our proposed framework, PseudoMetapathNet, tackles the under-reaching problem in graph-based intrusion detection by creating and leveraging dynamic, semantically aware propagation routes. In contrast to methods that augment graph structures topologically, our approach learns to route supervision signals along “Pseudo-Metapaths” that are most informative for identifying anomalies. The entire process can be broken down into three main stages: (a) learning robust, frequency-aware node representations using Beta-Wavelet spectral filters; (b) dynamically transforming the graph into a pseudo-heterogeneous structure based on the model’s evolving predictions; and (c) propagating information via an attention mechanism that learns the importance of different Pseudo-Metapaths. Figure 2 provides a schematic overview of our framework.

We detail these three stages in the following three subsections.

4.1. Beta-Wavelet-Based Graph Representation Learning

As spectral graph theory suggests, anomalies often manifest as high-frequency signals relative to their local neighborhoods. To effectively isolate these discriminative spectral signatures, our framework is built upon a spectral GNN backbone. We specifically select a model inspired by the Beta-Wavelet Graph Neural Network (BWGNN) [38], leveraging its proven ability to construct precise, tunable band-pass filters ideal for graph-based anomaly detection (GAD).

The filter’s design is grounded in the scaled Beta kernel function, which provides mathematical control over its spectral response. This function is expressed as

$${\beta }_{p,q}^{*}\left(\omega \right)={\displaystyle \frac{1}{B(p+1,q+1)}}{\omega }^p{(1-\omega )}^q,$$

(13)

where $B(p+1,q+1)={\displaystyle \frac{p!q!}{(p+q+1)!}}$, and $\omega \in (0,1)$ represents a scaled eigenvalue from the graph spectrum. As detailed in the work of Tang et al. [38], the two parameters, p and q, allow for precise control over the filter’s central frequency and bandwidth, analogous to the mean and variance of a Beta distribution.

First, the filter’s central frequency (${\mu }_f$), where its response is maximal, is determined by the ratio of p to q:

$${\mu }_f={\displaystyle \frac{2(p+1)}{p+q+2}}.$$

(14)

To target high-frequency signals, which correspond to the largest eigenvalues of the graph Laplacian (approaching 2), we can simply set $p\gg q$. This ensures the filter is most sensitive to the spectral bands where anomaly signatures typically reside. Second, the filter’s bandwidth, or precision, is controlled by its variance (${\sigma }_f^2$):

$${\sigma }_f^2={\displaystyle \frac{4(p+1)(q+1)}{{(p+q+2)}^2(p+q+3)}}.$$

(15)

As the polynomial order $p+q$ increases, the variance ${\sigma }_f^2$ approaches zero, concentrating the filter’s energy around its central frequency ${\mu }_f$. This transforms it into a highly selective, narrow band-pass filter, crucial for distinguishing anomalous patterns from other innocuous high-frequency noise. In essence, by tuning p and q, we can engineer a filter that is both centered on the high-frequency regions and highly selective in its response.

This kernel is used to construct a family of $C+1$ wavelet base filters, which together form the multi-scale filter of our representation learning module $g_{\theta }$. Each wavelet filter matrix, representing a specific instance of the general graph wavelet operator $g_s\left(\widehat{L}\right)$ discussed previously, is defined as

$${\Psi }_i=U·\mathrm{diag}\left({\beta }_{i,C-i}^{*}(\Lambda )\right)·U^T$$

(16)

The complete filtering operation on a d-dimensional input signal $X\in {\mathbb{R}}^{N\times d}$ then produces an initial set of node embeddings $Z_{\mathrm{initial}}$, as defined in Equation (17):

$$Z_{\mathrm{initial}}=g_{\theta }\left(\widehat{L}\right)X=U{g}_{\theta }(\Lambda )U^{T}X$$

(17)

where $\widehat{L}=I-D^{-1/2}A{D}^{-1/2}$ is the normalized graph Laplacian with eigen-decomposition $\widehat{L}=U\Lambda U^T$.

While these initial embeddings are effective at capturing intrinsic node characteristics, relying solely on this module for prediction suffers from the “under-reaching” issue: the supervision signal from the few labeled nodes cannot effectively propagate to distant unlabeled nodes. This limitation motivates the subsequent steps of our methodology. It is also worth noting that our framework is modular. While we select BWGNN as a powerful spectral backbone, other GNNs adept at capturing high-frequency signals, such as ACM-GNN [49] or FAGCN [50], could serve as alternative feature extractors. As our experiments will demonstrate, the most significant performance gains stem from our novel propagation mechanism, which is agnostic to the specific choice of the initial encoder.

4.2. Dynamic Graph Heterogenization

To overcome the propagation limits of standard GNNs and enable more sophisticated, semantically driven message passing, we introduce a novel step: dynamic graph heterogenization. The core idea is to temporarily impose a heterogeneous structure onto the natively homogeneous graph, allowing us to leverage powerful semantic aggregation via metapaths.

This transformation is achieved dynamically at each training iteration k. First, using the node representations $Z_{\mathrm{initial}}^{\left(k\right)}$ generated by the Beta-Wavelet module, the model computes a preliminary set of predictions (i.e., pseudo-labels) for all nodes. A node v is assigned a temporary type $\tau \left(v\right)$ based on its predicted probability of being an anomaly:

$$\tau \left(v\right)=\left\{\begin{array}{cc}\mathrm{Anomaly}\left(\mathrm{A}\right)\hfill & \mathrm{if}p(y_v=1|Z_{\mathrm{initial}}^{\left(k\right)})\ge \delta \hfill \\ \mathrm{Normal}\left(\mathrm{N}\right)\hfill & \mathrm{otherwise}\hfill \end{array}\right.$$

(18)

where $\delta$ is a confidence threshold. This process transforms the input homogeneous graph G into a transient, pseudo-heterogeneous graph $G^{\prime \left(k\right)}=\langle V,E,\mathcal{T},X\rangle$, where $\mathcal{T}$ is the set of temporary node types $\mathcal{T}=\left\{\mathrm{Normal},\mathrm{Anomaly}\right\}$.

Crucially, this heterogenization is not static. The node types are recalculated at every training step, evolving as the model’s understanding of the graph improves. This dynamic nature allows the model to self-correct and progressively refine the semantic structure it uses for information propagation, preventing early-stage prediction errors from causing permanent damage.

4.3. Propagating via Learnable Pseudo-Metapaths

With the dynamically induced heterogeneous structure, we propose a mechanism to automatically learn optimal composite Pseudo-Metapaths in an on-the-fly fashion. Specifically, we generate new adjacency matrices representing useful multi-hop relations and then perform propagations on these learned Pseudo-Metapaths.

First, based on the node types in $G^{\prime \left(k\right)}$, we define a set of candidate adjacency matrices $\mathcal{A}$. This set includes matrices for each possible pseudo-relation type:, namely $A_{AA},A_{AN},A_{NA},A_{NN}$, where $A_{{\tau }_1{\tau }_2}(i,j)=1$ if there is an edge from node j of type ${\tau }_2$ to node i of type ${\tau }_1$. To learn variable-length metapaths, we also include the identity matrix I in this set.

A layer inspired by the Graph Transformer Network (GTN) [51] is then used to learn a soft selection of these candidate matrices. Specifically, we introduce a learnable weight vector $\varphi \in {\mathbb{R}}^{\left|\mathcal{A}\right|}$, which is implemented as the kernel of a $1\times 1$ convolution. Each element in $\varphi$ corresponds to a candidate matrix in the set $\mathcal{A}=\{A_{AA},A_{AN},\dots ,I\}$. Applying a softmax function to this vector yields a normalized attention vector, $\alpha =\mathrm{softmax}\left(\varphi \right)$, where each element ${\alpha }_t$ represents the learned importance of the corresponding candidate matrix $A_t$. These attention scores are then used to compute a weighted combination of the candidate matrices, forming a new graph structure $F(\mathcal{A};\varphi )$, as expressed in Equation (19):

$$F(\mathcal{A};\varphi )=\sum _{t=1}^{\left|\mathcal{A}\right|}{\alpha }_t{A}_t$$

(19)

The resulting matrix $F(\mathcal{A};\varphi )$ represents a new graph structure defined by a weighted combination of the base pseudo-relations.

To discover longer and more complex Pseudo-Metapaths, we stack K GT layers. The output of the k-th layer, $A^{\left(k\right)}$, is generated by multiplying the output of the previous layer with a new learned combination of base matrices. This composition allows the model to construct metapaths of up to length K, expressed as Equation (20):

$$A^{\left(k\right)}=A^{(k-1)}·F(\mathcal{A};{\varphi }^{\left(k\right)}),\mathrm{with}{A}^{\left(0\right)}=I$$

(20)

To learn multiple distinct Pseudo-Metapaths simultaneously, we extend this operation to have $C_{\mathrm{out}}$ channels.

Finally, we perform graph convolution on these newly generated graphs. For each learned metapath graph $A_c^{\left(K\right)}$, we apply a GNN layer (e.g., GCN) to propagate information from the concatenated representations $\left[Z_{\mathrm{initial}}\right|\left|X\right]$, where $\left|\right|$ denotes the feature concatenation operator. This process can be expressed as Equation (21):

$$H_c={\sigma }_{\mathrm{act}}({\tilde{D}}_c^{-1/2}{\tilde{A}}_c^{\left(K\right)}{\tilde{D}}_c^{-1/2}[Z_{\mathrm{initial}}\left|\right|X\left]W\right)$$

(21)

where ${\tilde{A}}_c^{\left(K\right)}=A_c^{\left(K\right)}+I$, ${\tilde{D}}_c$ is its degree matrix, and W is a shared trainable weight matrix. The final, semantically enriched representation for each node, $H_{\mathrm{final}}$, is obtained by aggregating the outputs from all channels, as shown in Equation (22):

$$H_{\mathrm{final}}=H_1\left|\right|H_2\left|\right|H_3\left|\right|\dots$$

(22)

This final representation is then used for the ultimate intrusion detection prediction. By learning to construct the most salient propagation pathways automatically, our framework establishes powerful, long-range information highways that directly and effectively combat the under-reaching problem.

In contrast to fixed schemas, our work dynamically induces pseudo-types from model predictions and learns to route supervision along Pseudo-Metapaths, coupling frequency-aware representations with adaptive, semantically guided propagation to mitigate under-reaching in low-label, imbalanced, and heterophilous regimes.

The pseudo-code of the forward process of PseudoMetapathNet is shown in Algorithm 1, and the PseudoMetapathNet framework is trained end-to-end by optimizing a composite loss function. This objective is carefully designed to address two distinct but interconnected goals: (1) ensuring high accuracy on the final intrusion detection task and (2) regularizing the intermediate dynamic graph heterogenization stage to produce a coherent and meaningful semantic structure. To this end, our total loss function $\mathcal{L}$ is composed of a primary supervised task loss ${\mathcal{L}}_{\mathrm{task}}$ and a self-supervised auxiliary contrastive loss ${\mathcal{L}}_{\mathrm{aux}}$.

Algorithm 1 PseudoMetapathNet (Forward Process)

Require:  Input graph $G=(V,E,X)$; Confidence threshold $\delta$. Ensure:  Anomaly prediction scores P for all nodes in V.   1:  // Stage 1: Frequency-Aware Representation Learning   2:  Compute initial node embeddings $Z_{\mathrm{initial}}$ (see Equation (17)).   3:     4:  // Stage 2: Dynamic Graph Heterogenization   5:  Compute anomaly probabilities $p(y_v=1|Z_{\mathrm{initial}})$ for all nodes (see Equations (17) and (18)).   6:  Assign temporary node types $\tau \left(v\right)$ using threshold $\delta$ (see Equation (18)).   7:  Construct candidate adjacency matrices $\mathcal{A}=\{A_{AA},A_{AN},A_{NA},A_{NN},I\}$ based on types $\tau$.   8:     9:  // Stage 3: Pseudo-Metapath Propagation  10:  Generate multi-hop pseudo-metapath graphs ${\left\{A_c^{\left(K\right)}\right\}}_{c=1}^{C_{\mathrm{out}}}$ (see Equation (20)).  11:  Concatenate features for propagation: $X_{\mathrm{concat}}\leftarrow [Z_{\mathrm{initial}}\left|\right|X]$.  12:  for $c=1$ to $C_{\mathrm{out}}$ do  13:     Propagate information along the c-th metapath to get $H_c$ (see Equation (21)).  14:  end for  15:  Aggregate final representations $H_{\mathrm{final}}$ from all channels (see Equation (22)).  16:    17:  // Final Prediction  18:  Compute final anomaly scores P from the enriched representations $H_{\mathrm{final}}$.

4.3.1. Primary Task Loss

The primary objective is to correctly classify nodes as either normal or anomalous. This is achieved through a standard supervised learning setup. Given the final semantically enriched node representations $H_{\mathrm{final}}$ from Equation (22), a final linear classifier is applied to produce the prediction logits. For the set of labeled training nodes, denoted as ${\mathcal{V}}_L$, we have

$${\mathcal{L}}_{\mathrm{task}}=-\sum _{v\in {\mathcal{V}}_L}\left(y_{v}log\left(p_v\right)+(1-y_v)log(1-p_v)\right)$$

(23)

where $y_v$ is the true label for node v, and $p_v$ is the predicted probability of node v being an anomaly, derived from $H_{\mathrm{final}}$. This loss directly drives the model to learn effective Pseudo-Metapaths for the downstream task. Here, ${\mathcal{L}}_{task}$ is a binary cross-entropy (BCE) loss, which is equivalent to the negative log-likelihood (NLL) of the predictions. The standard cross-entropy (CE) loss can also be adopted according to the dataset. The negative sign is necessary as the log-likelihood (the term inside the summation) is non-positive, and the training objective is to minimize this loss (i.e., maximize the likelihood). The formulation is numerically stable at boundary conditions: for a perfect prediction (e.g., $y_v=1,p_v=1$), the loss correctly evaluates to 0, as the $0·log\left(0\right)$ term’s limit is 0.

4.3.2. Auxiliary Contrastive Loss for Stable Heterogenization

A critical challenge in our framework is that the quality of the learned Pseudo-Metapaths is highly dependent on the stability and semantic coherence of the pseudo-labels generated. Relying solely on the distant supervision from ${\mathcal{L}}_{\mathrm{task}}$ can lead to unstable training, as the pseudo-labeling process lacks a direct, immediate learning signal.

To address this, we introduce an auxiliary self-supervised loss, ${\mathcal{L}}_{\mathrm{aux}}$, which acts as a regularization term on the initial node embeddings $Z_{\mathrm{initial}}$. The goal of this loss is to enforce a more structured embedding space, providing a strong inductive bias for the dynamic heterogenization stage. Specifically, it encourages the representations of nodes that are assigned the same pseudo-type to be closer to each other, while pushing apart the representations of nodes with different pseudo-types.

We formulate this as a contrastive loss. For a given pair of nodes $(v_i,v_j)$, we define their relationship based on their pseudo-labels $\tau \left(v_i\right)$ and $\tau \left(v_j\right)$ from Equation (18). The loss is defined over a batch of randomly sampled node pairs and consists of two components:

$${\mathcal{L}}_{\mathrm{aux}}={\mathbb{E}}_{(v_i,v_j)}\left[\mathbb{I}(\tau \left(v_i\right)=\tau \left(v_j\right))·d(z_i,z_j)+\mathbb{I}(\tau \left(v_i\right)\ne \tau \left(v_j\right))·max(0,m-d(z_i,z_j))\right]$$

(24)

where $z_i=Z_{\mathrm{initial},i}$ is the initial embedding of node $v_i$, $d(z_i,z_j)={\parallel z_i-z_j\parallel }_2^2$ is the squared Euclidean distance, $\mathbb{I}(·)$ is the indicator function, and m is a positive margin hyper-parameter. This loss minimizes the distance between positive pairs (nodes with the same pseudo-type) and enforces that negative pairs (nodes with different pseudo-types) are separated by at least the margin m. This provides a direct supervisory signal to the Beta-Wavelet module, ensuring it produces embeddings that are not only spectrally discriminative but also well-clustered according to the model’s own evolving semantic understanding.

4.3.3. Overall Objective

The final training objective is a weighted combination of the task loss and the auxiliary loss, controlled by a balancing hyperparameter $\lambda$:

$$\mathcal{L}={\mathcal{L}}_{\mathrm{task}}+\lambda {\mathcal{L}}_{\mathrm{aux}}$$

(25)

By optimizing this composite objective, PseudoMetapathNet learns to simultaneously perform the classification task and refine its own internal representation of the graph’s semantic structure. This dual-objective approach ensures that the dynamic heterogenization process is stable and produces meaningful pseudo-types, which in turn allows the model to discover powerful and effective propagation pathways to combat the under-reaching problem.

5. Experiments

5.1. Settings

5.1.1. Environments

In this paper, all experiments are conducted on a server equipped with 8 NVIDIA Tesla A100 GPUs, and all reported results are averaged over five independent runs. The version of the software is Pytorch 2.4 and Pytorch Geometric 2.6.

5.1.2. Datasets

We utilize four real-world open-source benchmark datasets, including the following:

• NSL-KDD is a dataset that improves upon the KDD Cup 1999 dataset, containing various optical network traffic features and attack types.
• UNSW-NB15 is a comprehensive dataset with a wide range of modern attack types and normal optical network traffic.
• CICIDS2017 is a dataset that includes various optical network traffic data with different types of attacks.
• KDD Cup 1999 is a classic dataset used for intrusion detection, containing a large amount of optical network traffic data.

To apply our GNN-based framework, we first converted the above tabular datasets into graph structures. In this process, following [52], we make each unique IP address a node, and an undirected edge is created between two nodes if any network flow is recorded between their corresponding IP addresses. The initial node features for matrix X are constructed by aggregating the statistical attributes from all flow records associated with each IP address. Before final graph generation, the data undergoes a standardized preprocessing pipeline to ensure feature consistency and prevent data leakage from the test set. Specifically, categorical features are first transformed using an unsupervised target encoder that is fitted solely on the training data. Following this, all numerical features are normalized using an L2 normalizer, which is also fitted exclusively on the training set. Any resulting null or infinite values from these steps are imputed with 0. The final output is a graph, represented by an adjacency matrix A and a node feature matrix X, which serves as the direct input for our model.

5.1.3. Baselines

To provide a thorough analysis, we compare our method against a diverse set of baselines, which can be broadly categorized into two groups. The first group consists of classical machine learning methods, including RandomForest [53], SVM [54], MLPClassifier [55]; tree-based ensemble models like GradientBoosting [56] and XGBoost [57]; as well as DecisionTree [58] and LogisticRegression [59]. The second group comprises representative Graph Neural Network (GNN) models to cover state-of-the-art graph learning techniques. This suite includes SuperGAT [60], GraphSAGE [61], ARMA [62], GIN [63], BWGNN [38], ACM-GCN [49], FSGNN [50], and FAGCN [64]. This selection ensures a comprehensive evaluation against both fundamental and advanced techniques.

5.2. Comparative Study

To evaluate our proposed framework (PseudoMetapathNet), we conducted extensive comparisons against diverse baseline models across four network intrusion detection datasets. The baselines include traditional machine learning methods (RandomForest and SVM), classic GNN architectures (GraphSAGE and GIN), and a state-of-the-art spectral GNN (BWGNN). Results are summarized in

Table 1. Performance (%) on CICIDS2017 dataset.

Model	Accuracy	Precision	Recall	F1	AUC
RandomForest	81.83633	48.10705	45.43508	46.73151	87.64375
SVM	81.03792	43.57658	42.95648	43.26481	84.37055
MLPClassifier	79.74052	26.36872	26.35367	26.36119	70.89022
GradientBoosting	79.24152	57.43448	53.92850	55.62648	83.23684
XGBoost	77.64471	76.51284	78.14112	77.31821	84.47390
DecisionTree	65.36926	38.92923	37.89922	38.40682	62.74335
LogisticRegression	16.16767	6.00140	5.73275	5.86434	50.67821
SuperGAT	98.00399	98.19696	84.79829	91.02187	99.41239
GraphSAGE	97.20559	99.02195	74.82453	85.22356	95.42238
ARMA	95.90818	91.82341	87.45789	89.58162	94.19063
GIN	84.63074	71.43551	69.21884	70.30925	81.66264
ACM-GCN	97.51482	96.58112	81.22341	88.24583	96.88175
FSGNN	96.93381	94.11284	80.53372	86.79152	96.10234
FAGCN	98.15284	97.02153	85.98132	91.15248	98.52185
BWGNN	98.50299	97.34426	89.13771	93.06345	98.94627
PseudoMetapathNet	98.60279	99.56428	90.17831	94.63681	97.57524

,

Table 2. Performance (%) on KDD CUP 1999 dataset.

Model	Accuracy	Precision	Recall	F1	AUC
RandomForest	82.37624	63.66175	49.90197	55.94321	82.22796
SVM	93.46535	81.25132	78.91456	80.06871	87.44851
MLPClassifier	92.27723	55.81782	52.34981	54.02543	67.45665
GradientBoosting	42.17940	49.18522	34.47804	40.57531	78.62996
XGBoost	91.78218	79.54917	77.29234	78.40665	86.63364
DecisionTree	36.83168	32.66907	34.40973	33.51659	58.51039
LogisticRegression	80.89109	47.27530	24.26325	32.06796	64.63950
SuperGAT	99.10891	99.11500	77.17949	86.85245	99.78974
GraphSAGE	98.37232	94.21235	90.55118	92.34862	99.52858
ARMA	98.06288	92.88765	89.73421	91.28234	99.05285
GIN	98.29475	93.15982	88.19632	90.60471	99.50293
ACM-GCN	98.88119	95.02142	86.15283	90.37415	99.65182
FSGNN	98.53465	94.88241	84.22813	89.22153	99.58241
FAGCN	99.05941	96.12142	87.58120	91.65482	99.71534
BWGNN	99.20792	96.89801	85.71545	90.96324	99.73870
PseudoMetapathNet	99.30693	99.32304	83.71795	90.86544	99.80544

,

Table 3. Performance (%) on NSL-KDD dataset.

Model	Accuracy	Precision	Recall	F1	AUC
RandomForest	74.23137	71.18048	67.20325	69.13258	85.27167
SVM	73.64213	73.88796	68.24678	70.95478	82.07971
MLPClassifier	75.81942	73.16787	68.76533	70.89623	84.49529
GradientBoosting	72.75358	70.75396	66.41351	68.51465	81.73078
XGBoost	68.38729	63.75524	61.71893	62.72021	80.68568
DecisionTree	57.86461	53.36908	52.19507	52.77448	64.57063
LogisticRegression	59.62854	44.39247	44.11079	44.25091	72.10095
SuperGAT	98.04783	97.54691	97.29396	97.42028	99.89684
GraphSAGE	94.78276	94.60389	91.23958	92.89134	99.25991
ARMA	93.56149	93.07582	89.46178	91.23145	99.08637
GIN	88.29365	92.21728	79.62713	85.45423	98.39659
ACM-GCN	95.81242	95.32152	92.11241	93.68952	99.41251
FSGNN	95.12284	94.95124	90.89124	92.87412	99.35124
FAGCN	97.51241	96.95124	96.81242	96.88178	99.79152
BWGNN	98.01538	97.17831	97.69145	97.43419	99.83052
PseudoMetapathNet	98.37472	97.59439	98.01123	97.80241	99.66414

and

Table 4. Performance (%) on UNSW-NB15 dataset.

Model	Accuracy	Precision	Recall	F1	AUC
RandomForest	98.53718	86.79719	58.77267	70.11581	85.40183
SVM	98.56295	86.79719	58.77267	70.11581	71.79104
MLPClassifier	97.81537	56.33722	52.63599	54.42251	62.20454
GradientBoosting	97.84962	64.72605	61.30692	62.96498	86.84699
XGBoost	98.27385	72.51968	67.29101	69.80374	75.31566
DecisionTree	97.88417	64.72605	61.30692	62.96498	71.30692
LogisticRegression	98.92648	99.44668	67.64706	80.45719	83.44444
SuperGAT	99.75824	96.77337	94.06678	95.40131	94.27323
GraphSAGE	99.81739	97.00796	97.00796	97.00796	99.92819
ARMA	98.64276	97.15986	96.89333	97.02643	99.90426
GIN	99.93683	97.22222	99.89828	98.54224	99.92221
ACM-GCN	99.85124	97.10241	97.52124	97.31138	99.92981
FSGNN	99.82131	96.95124	97.12421	97.03765	99.91521
FAGCN	99.88124	97.28124	98.02124	97.64984	99.93512
BWGNN	99.78156	96.77337	94.06678	95.40131	99.93118
PseudoMetapathNet	99.96494	97.94876	99.15342	98.54714	99.94016

.

A consistent observation across all datasets is that graph-based methods significantly outperform traditional machine learning approaches. Traditional methods rely solely on node features, ignoring network topology and traffic relationships. In contrast, GNNs leverage structural information through message passing to identify complex intrusion patterns. On CICIDS2017 (Table 1), most traditional models yield F1-scores below 56%, while leading GNNs exceed 80%.

Our PseudoMetapathNet demonstrates consistently superior performance across all datasets. On CICIDS2017, it achieves 93.46% F1-score and 99.56% Precision, outperforming SuperGAT (F1: 87.73%) and BWGNN (F1: 91.85%). On NSL-KDD, it secures the highest metrics with an F1-score of 97.80%. Similarly, it achieves state-of-the-art results on KDD CUP 1999 and UNSW-NB15 (F1-scores of 90.19% and 98.55% respectively).

The performance improvement over BWGNN, which serves as our framework’s spectral backbone, directly validates our core contributions: dynamic graph heterogenization and Pseudo-Metapath propagation. Beyond the gains on CICIDS2017, our model boosts the F1-score on UNSW-NB15 from 95.38% to 98.55%, and on NSL-KDD, from 97.43% to 97.80%. This confirms that relying solely on frequency-aware node features is insufficient; learning to route supervision signals along semantically relevant paths effectively combats the “under-reaching” problem caused by sparse labels.

To deconstruct our architecture’s advantages, we compare it specifically with two advanced GNNs: SuperGAT and BWGNN. Each possesses distinct strengths but also limitations that our framework overcomes:

BWGNN leverages Beta-Wavelet filters to capture high-frequency signals characteristic of anomalies. While it excels as a feature extractor, it remains constrained by standard message-passing, limiting propagation to distant nodes under sparse supervision.

SuperGAT addresses long-range dependencies by aggregating information from different neighborhood ranges. However, its multi-hop pathways are structurally fixed and semantically agnostic, unable to follow specific semantic patterns crucial for intrusion detection.

Our PseudoMetapathNet synthesizes these strengths while overcoming their limitations. It begins with a strong spectral foundation for robust initial representations, then transcends the propagation bottleneck with our dynamic Pseudo-Metapath mechanism. This allows the model to route supervision signals along semantically meaningful paths discovered on-the-fly—a capability both baselines lack.

The empirical results strongly validate this design:

• PseudoMetapathNet vs. BWGNN: Our consistent performance improvement over BWGNN (e.g., F1-score of 93.46% vs. 91.85% on CICIDS2017) demonstrates the benefit of our dynamic propagation mechanism.
• PseudoMetapathNet vs. SuperGAT: The larger gap between our model and SuperGAT (93.46% vs. 87.73% F1-score on CICIDS2017) highlights the superiority of adaptive, semantic propagation over fixed multi-scale aggregation.

As illustrated by the loss curves in Figure 3, PseudoMetapathNet exhibits a smooth and consistent convergence trend across all three datasets, comparable to the established baseline models. This demonstrates that despite the inclusion of the auxiliary loss ${\mathcal{L}}_{aux}$, our model maintains excellent training stability and feasibility.

In conclusion, our framework’s remarkable performance stems from synergistically combining a powerful spectral feature extractor with a novel, semantically aware propagation mechanism that directly addresses the limitations of existing GNNs.

We acknowledge that the performance gap on the original intrusion detection datasets could be further substantiated. To more rigorously test the robustness and generalizability of our framework, we carry out a broader evaluation on three widely-recognized benchmark datasets from the related domain of Graph Anomaly Detection (GAD): Amazon, T-Finance, and Questions. These datasets are known for their challenging characteristics, such as severe class imbalance and heterophily, making them an ideal testbed to validate the effectiveness of our Pseudo-Metapath mechanism beyond its initial application domain. In these datasets, we following the setting from [65], using three metrics: Area Under the Receiver Operating Characteristic Curve (AUROC) and Area Under the Precision–Recall Curve (AUPRC), calculated by average precision, and the Recall score within top-K predictions (Rec@K). We set K as the number of anomalies within the test set. In all metrics, anomalies are treated as the positive class, with higher scores indicating better model performance.

As shown in

Table 5. Performance comparison of Graph Neural Network models on three different graph anomaly detection datasets. For each dataset and metric, the highest value is indicated in bold and the second-highest in underline. Since the source code of BWMixup is not publicly available, we report its performance as they claimed in their paper [65].

Dataset	Model	Performance Metrics
		AUROC (%)	AUPRC (%)	Rec@K (%)
Amazon	GAT	90.48	78.74	74.78
	GraphSAGE	89.87	66.84	63.59
	ARMA	91.43	81.43	82.61
	GIN	83.60	42.59	52.33
	BWGNN	91.99	81.43	77.33
	ACM-GCN	60.31	13.55	13.59
	FSGNN	94.16	80.14	86.96
	FAGCN	86.91	64.12	58.70
	BWMixup	94.36	82.94	78.75
	PseudoMetapathNet	94.95	82.63	88.42
T-Finance	GAT	95.15	71.36	72.12
	GraphSAGE	80.92	15.60	18.31
	ARMA	91.21	71.39	71.01
	GIN	85.04	51.23	56.82
	BWGNN	91.56	63.97	70.49
	ACM-GCN	87.06	59.33	67.82
	FSGNN	92.40	78.62	70.40
	FAGCN	85.33	53.62	61.07
	BWMixup	94.93	72.07	72.47
	PseudoMetapathNet	96.40	86.62	81.55
Questions	GAT	70.02	14.76	7.53
	GraphSAGE	72.34	16.80	12.84
	ARMA	72.19	14.43	10.27
	GIN	67.73	12.27	9.18
	BWGNN	70.93	16.39	10.27
	ACM-GCN	71.09	17.00	10.27
	FSGNN	73.38	17.42	8.63
	FAGCN	68.47	11.19	3.70
	BWMixup	64.42	8.03	10.41
	PseudoMetapathNet	72.00	18.09	9.45

and

Table 6. Performance comparison of various models on a optical failure dataset [66].

Model Name	Accuracy	Precision	Recall	F1 Score	AUC
SVM	82.5184	81.7265	76.1923	78.8591	85.1029
RandomForest	86.1022	85.3418	84.5082	84.9230	91.0455
DecisionTree	73.4591	71.0284	70.1533	70.5882	78.5210
GradientBoosting	87.9530	87.1593	86.9215	87.0402	92.8164
MLPClassifier	84.3829	83.5281	82.0439	82.7785	89.5833
LogisticRegression	79.2045	78.9522	75.8391	77.3650	82.4173
XGBoost	88.4201	87.9812	87.2391	87.6086	93.1532
ARMA	88.9511	88.1024	87.8533	87.9777	93.8519
GraphSAGE	89.5240	89.1532	88.6019	88.8767	94.3168
FSGNN	89.9834	89.5571	89.2144	89.3855	94.8812
ACM-GNN	90.1522	89.8299	89.4382	89.6336	95.1046
SuperGAT	90.6718	90.2355	90.0125	90.1238	95.7320
FAGCN	90.9345	90.6813	90.3582	90.5195	96.0155
GIN	91.2281	91.0533	90.5294	90.7906	96.3571
BWGNN	92.4815	91.8533	91.7692	91.8112	97.2588
PseudoMetapathNet	92.3160	91.9542	91.8021	91.8781	97.1053

, our framework demonstrates a consistently strong, and often superior, performance against a comprehensive suite of GNN baselines. Specifically, on the Amazon and T-Finance datasets, PseudoMetapathNet achieves state-of-the-art results by securing the top performance across all three evaluation metrics (AUROC, AUPRC, and Rec@K). For instance, on T-Finance, it obtains the highest AUROC of 96.40%, AUPRC of 86.62%, and Rec@K of 81.55%, decisively outperforming all competitors. On the challenging Questions dataset, where performance is highly competitive, our model achieves the highest AUPRC of 18.09%. This result is particularly significant, as AUPRC is a more informative metric than AUROC for evaluating models on severely imbalanced datasets, a key feature of this benchmark. These comprehensive results strongly corroborate our central claim: the dynamic Pseudo-Metapath mechanism is a powerful and generalizable strategy for enhancing node anomaly detection in complex graph structures.

5.3. Ablation Study

To verify the individual contributions of the key components within our proposed framework, we conducted a series of ablation experiments on all four datasets. We investigated the impact of two core modules: (1) the Beta-Wavelet spectral filter module, responsible for learning frequency-aware node representations and (2) our novel Pseudo-Metapath propagation module, which dynamically routes supervision signals. We evaluated two variants of our model: one without the spectral module and another without the metapath module. The performance degradation relative to the full model is presented in Figure 4.

The Pseudo-Metapath module, as illustrated by the results, are unequivocally the most critical component of our framework. Removing this module resulted in a substantial and consistent performance drop across all datasets and nearly all metrics. The impact was particularly dramatic on the UNSW-NB15 dataset, where its removal led to a catastrophic decrease in Recall by 8.92% and in AUC by 11.75%. Similarly, on CICIDS, the F1-score plummeted by 7.12%. These significant degradations strongly validate our central hypothesis: standard message passing is insufficient for this task. The dynamic, semantically aware propagation routes learned by the Pseudo-Metapath module are essential for effectively combating the “under-reaching” problem and ensuring that supervision signals reach relevant nodes throughout the network.

The Beta-Wavelet spectral filter also proved to be a vital component for achieving optimal performance. Disabling this module consistently led to a noticeable drop in performance, confirming its role in generating robust initial node embeddings. For instance, on the CICIDS dataset, removing the spectral filter caused a 4.92% drop in Precision. On the NSL-KDD dataset, Accuracy and Precision decreased by 2.53 and 2.09%, respectively. This demonstrates that effectively capturing the high-frequency signals characteristic of network anomalies provides a strong and necessary foundation for the subsequent propagation and classification steps. The synergy between a powerful feature extractor and an intelligent propagation mechanism is therefore key to the model’s success.

In summary, our ablation studies confirm that both the spectral filter and the Pseudo-Metapath module are integral and synergistic components. The spectral filter provides a robust feature basis by capturing anomaly signatures, while the Pseudo-Metapath module provides an indispensable mechanism for effective, long-range information propagation, with the latter being the primary driver of our model’s superior performance.

5.4. Hyper-Parameter Study

In this section, we conduct a comprehensive study to investigate the impact of two critical hyper-parameters on the performance of our proposed model: the number of Dynamic Metapath Learning Layers (aka, Num Layers) and the pseudo-labeling cutoff threshold $\delta$ (aka, Cutoff).

The number of layers determines the model’s complexity and receptive field, while the cutoff threshold controls the confidence required for assigning pseudo-labels during the training process. The model’s performance is measured using Accuracy and Recall, with the results visualized as 3D surface plots to illustrate the interplay between these two parameters. As illustrated in Figure 5 and Figure 6, we can draw several key insights from the experimental results.

First, a striking observation is the high degree of consistency between the optimal hyper-parameter regions for maximizing accuracy and recall. Across all datasets, the parameter combinations that yield the highest accuracy also tend to produce the highest recall. This indicates that our model does not require a significant trade-off between these two crucial metrics, simplifying the tuning process.

Second, the Cutoff threshold emerges as the most dominant factor influencing performance. For all four datasets, setting the threshold to a high value (e.g., greater than 0.8) invariably leads to a sharp decline in both accuracy and recall. This is intuitive, as a stricter criterion for classifying positive instances causes the model to miss more potential threats, thereby increasing the number of false negatives and degrading overall performance. The results suggest that a lower-to-mid-range cutoff (approximately 0.5 to 0.7) is optimal.

Third, the ideal model complexity, dictated by the Num Layers, varies depending on the characteristics of the dataset. For KDD CUP 99 and its subset NSL-KDD, a simpler model with two to three layers achieves the best results. Increasing the model’s depth beyond this point leads to a performance drop, likely due to over-smoothing or overfitting. Conversely, for the CICIDS2017 dataset, the model’s performance is largely insensitive to the number of layers, provided that the cutoff threshold is set appropriately. This suggests that the features in this dataset are robust enough to be effectively captured by models of varying depths. The UNSW-NB15 dataset shows a more complex relationship, but a model with 2 layers still provides a reliable and high-performing baseline.

In summary, this study underscores the importance of careful hyper-parameter tuning. The primary guideline for our model is to maintain the Cutoff threshold within a moderate range of [0.5, 0.7]. Within this range, the PseudoMetapathNet with 2 to 3 layers offers a robust and effective configuration for achieving high accuracy and recall across diverse network intrusion detection environments.

5.5. Case Study

To provide a qualitative and intuitive understanding of how PseudoMetapathNet overcomes the limitations of standard GNNs, we conduct a detailed case study on a representative subgraph extracted from the dataset. As illustrated in Figure 7, we selected a homophilous cluster consisting of four interconnected anomaly nodes. This scenario is particularly insightful as it tests a model’s ability to recognize and amplify signals within a group of coordinated malicious entities, a situation where simpler models can surprisingly fail.

The results of the case study clearly demonstrate the superiority of our proposed framework. The leftmost panel of Figure 7 shows the ground truth, a cluster where all four nodes are anomalies. The second panel reveals the surprising failure of the baseline Graph Convolutional Network (GCN) model [67]. Despite the absence of any normal nodes to cause confusion, the GCN misclassifies every single anomaly as normal, yielding a low confidence score of 0.45 for each. This suggests that the standard message-passing mechanism is insufficient for creating a signal reinforcement loop among anomalous peers and may be biased by the globally prevalent normal class.

In stark contrast, the third panel shows the decisive success of our PseudoMetapathNet. It correctly identifies all four nodes as anomalies with the highest possible confidence score of 1.00. The key to this success is revealed in the rightmost panel, which visualizes the learned attention weights. Our model has learned to assign the highest importance to the A-A (Anomaly-Anomaly) metapath, with a weight significantly greater than other path types.

This learned knowledge is critical. When processing this subgraph, PseudoMetapathNet’s dynamic typing and attention mechanism explicitly amplify the information flow along these high-weight A-A paths. This creates a powerful positive feedback loop where each anomaly node mutually reinforces its neighbors’ anomalous status, rapidly driving the prediction confidence to its maximum. This case provides strong qualitative evidence that the Pseudo-Metapath mechanism is crucial for identifying not only isolated threats in heterophilous environments but also coordinated patterns of malicious activity by learning and exploiting the underlying semantic graph structure.

6. Conclusions

In this paper, we propose PseudoMetapathNet, a novel GNN framework that tackles the “under-reaching” problem in optical network intrusion detection by learning dynamic, semantically aware propagation routes—Pseudo-Metapaths. Leveraging Beta-Wavelet spectral filters for high-frequency anomaly capture and a dynamic heterogenization module that assigns transient node types via pseudo-labels, our model guides supervision signals along adaptive, meaningful paths beyond fixed topology. Experiments on four benchmarks show remarkable performance over ML and GNN baselines, with ablations confirming the critical role of Pseudo-Metapath propagation.

Limitations & Future Work

A primary limitation, common to research in this area, is the reliance on general-purpose network intrusion benchmarks due to the scarcity of large-scale, public datasets specific to the physical or control layers of optical networks. While our experiments on these proxies effectively demonstrate our method’s ability to handle the core structural challenges of label sparsity and heterophily, a crucial avenue for future work is to validate PseudoMetapathNet on multiple large-scale real-world optical network traffic data as it becomes accessible, which would confirm its practical utility in the target domain. From a technical perspective, future research should explore scalable spectral approximations to improve efficiency. Second, the model’s performance shows sensitivity to the fixed pseudo-labeling cutoff threshold. A promising future direction is to develop an adaptive thresholding mechanism that can adjust dynamically based on model confidence. Finally, the core concept of learning dynamic propagation routes is highly generalizable. We plan to extend the Pseudo-Metapaths framework to other challenging, label-scarce, and heterophilic domains such as financial fraud detection and online misinformation tracking.