Adaptive Graph Neural Networks for Real-Time APT Detection in Enterprise Networks

📋 Abstract

Advanced Persistent Threats (APTs) represent one of the most significant challenges in enterprise network security, characterized by their stealthy, multi-stage nature and ability to evade traditional signature-based detection systems. In this paper, we present Adaptive Graph Neural Networks (AGNN) — a novel deep learning framework that models enterprise network traffic as dynamic temporal graphs to detect APT activities in real-time. Our approach combines graph convolutional networks with attention-based temporal modeling and an adaptive learning mechanism that continuously evolves with the threat landscape. Evaluated on real-world enterprise network traffic from 12 organizations (over 2.3 billion flow records), our AGNN framework achieves a detection accuracy of 99.2% with a false positive rate of only 0.03% and an average detection latency of 47ms, significantly outperforming existing state-of-the-art methods. The system is deployed as part of CyberVault's Security Operations Center (SOC) and actively protects over 500 enterprise clients worldwide.

1. Introduction

Enterprise networks face an escalating threat landscape where Advanced Persistent Threats (APTs) have become increasingly sophisticated in their operations. Unlike conventional cyber attacks, APT campaigns are characterized by their long-duration, multi-stage methodology — typically spanning months or even years — and their deliberate efforts to avoid detection through techniques such as low-and-slow data exfiltration, living-off-the-land binaries, and encrypted command-and-control channels.

The financial impact of APT attacks is staggering. According to the 2025 CyberVault Enterprise Threat Report, the average cost of an APT breach has reached $4.8 million, with the average time to detection exceeding 287 days. Traditional security tools — including intrusion detection systems (IDS), network monitoring tools, and signature-based antivirus solutions — are fundamentally ill-equipped to handle the nuanced, multi-stage nature of APT campaigns.

"The fundamental challenge in APT detection is not the detection of any single malicious event — it is the identification of a coordinated sequence of seemingly benign activities that, when viewed together, reveal a malicious campaign." — Dr. Elena Petrova, Lead Research Scientist, CyberVault AI Lab

Our work addresses this challenge through the lens of graph-based machine learning. Enterprise networks are inherently graph-structured: devices are nodes, communications are edges, and the patterns of interaction form a rich temporal graph that encodes the behavioral fingerprint of the network. By modeling network traffic as a dynamic graph and applying Adaptive Graph Neural Networks, we can learn normal behavioral patterns and detect the subtle deviations that characterize APT activity.

The key contributions of this work are:

AGNN Framework: A novel graph neural network architecture specifically designed for enterprise network security, incorporating adaptive graph construction, multi-head graph attention, and temporal modeling.
Adaptive Learning Mechanism: A continuously evolving model that updates its understanding of normal network behavior without requiring manual retraining, enabling detection of zero-day and novel APT techniques.
Real-Time Processing Pipeline: A production-grade system capable of processing over 500,000 network flows per second with sub-100ms detection latency.
Comprehensive Evaluation: Extensive evaluation on real-world enterprise network traffic from 12 organizations, demonstrating state-of-the-art performance across multiple APT detection benchmarks.

2. Background

2.1 Threat Model

Our threat model follows the MITRE ATT&CK framework, focusing on the most prevalent APT tactics observed in enterprise environments. We consider adversaries with the following capabilities:

Initial Access: Spear-phishing emails, supply chain compromises, and exploitation of internet-facing services (T1566, T1195, T1190)
Execution: PowerShell scripts, scheduled tasks, and living-off-the-land techniques (T1059, T1053, T1204)
Persistence: Registry modifications, service installations, and credential manipulation (T1547, T1543, T1550)
Privilege Escalation: Exploitation of local vulnerabilities and token manipulation (T1068, T1134)
Lateral Movement: Pass-the-hash, remote services, and WMI exploitation (T1550.002, T1021, T1047)
Collection: Data from local systems, email collection, and screen capture (T1530, T1114, T1113)
Exfiltration: Encrypted channels, cloud storage, and low-rate data transfer (T1041, T1537, T1048)
Command and Control: DNS tunneling, encrypted protocols, and domain fronting (T1071, T1572, T1090)

We assume the adversary has moderate-to-advanced resources and employs operational security (OPSEC) practices to minimize their network footprint. The adversary is aware of common detection techniques and actively evades signature-based and simple heuristic-based detection.

The application of machine learning to network security has a rich history, evolving from simple statistical models to complex deep learning architectures. Early approaches relied on signature-based detection and rule-based systems (Snort, Suricata), which are effective against known threats but fundamentally unable to detect novel attack techniques.

Supervised learning methods, including Random Forests, SVMs, and Gradient Boosting, achieved significant improvements by learning from labeled network traffic data. However, these approaches suffer from several limitations in the context of APT detection: they require large amounts of labeled training data (which is scarce for APT campaigns), they treat network flows as independent instances (ignoring the relational structure of network communications), and they cannot adapt to evolving threat landscapes without complete retraining.

Graph-based approaches have emerged as a promising direction. Zhang et al. (2023) applied Graph Convolutional Networks (GCNs) to model network topology for anomaly detection, achieving improved performance over flat representations. Wang et al. (2024) introduced a Temporal Graph Neural Network (TGNN) that captures temporal patterns in network traffic. However, these approaches assume a static graph structure and cannot adapt to the dynamic nature of enterprise networks where hosts join, leave, and change roles continuously.

⚠️ Key Limitation of Prior Work

Existing graph-based approaches assume a fixed graph structure that is constructed offline. In real enterprise environments, the network topology changes continuously — hosts are added and removed, new services are deployed, and communication patterns evolve. A static graph representation becomes stale within hours, leading to degraded detection performance and elevated false positive rates.

3. Methodology

We present the AGNN framework, a comprehensive approach to real-time APT detection that models enterprise network traffic as a dynamic temporal graph. The framework consists of four key components: (1) adaptive graph construction, (2) the AGNN architecture with multi-head graph attention, (3) an adaptive learning mechanism, and (4) a temporal modeling module for sequence-level APT detection.

3.1 Adaptive Graph Construction

The first step in our pipeline is constructing a graph representation of the enterprise network from raw network flow data. Each network flow f_i is represented as a 5-tuple: (src_ip, dst_ip, src_port, dst_port, protocol), augmented with temporal features including packet count, byte count, flow duration, and inter-arrival time statistics.

We construct the graph G = (V, E, X, A) where:

V is the set of vertices representing network entities (hosts, services, users)
E is the set of edges representing communications between entities
X ∈ ℝ^|V|×d is the node feature matrix containing behavioral features for each entity
A ∈ ℝ^|V|×|V| is the adjacency matrix encoding the communication topology

DC-01
AD

WS-042

WS-071

SRV-DB

WS-103

WS-018

WS-055

WS-089
⚠

🛡️ SOC

FW-01

C2 traffic

Alert

Figure 1: Enterprise network graph representation. Nodes represent network entities (servers, workstations, firewalls). Normal communication paths are shown in cyan, the compromised host (WS-089) is highlighted in red with active C2 traffic, and the SOC detection module is shown monitoring the anomaly.

The key innovation in our approach is the adaptive graph construction mechanism. Rather than constructing a static graph, we maintain a sliding window of network activity and dynamically update the graph structure as new flows arrive. This is achieved through an edge pruning and expansion algorithm that:

Expands the graph by adding new nodes and edges when previously unseen communication patterns emerge
Prunes inactive edges and nodes that have not participated in communication within a configurable time window
Updates node features by maintaining exponential moving averages of behavioral statistics

Python — Adaptive Graph Construction

class AdaptiveGraphConstructor:
    """Dynamically constructs and updates network graphs
    from streaming flow data."""

    def __init__(self, window_size=3600, prune_threshold=0.01):
        self.window_size = window_size
        self.prune_threshold = prune_threshold
        self.nodes = {}
        self.edges = {}
        self.flow_buffer = deque(maxlen=100000)

    def update(self, flow: NetworkFlow) -> GraphUpdate:
        """Process a new flow and update the graph."""
        src, dst = flow.src_ip, flow.dst_ip

        # Add/update nodes
        self._update_node(src, flow.src_features())
        self._update_node(dst, flow.dst_features())

        # Add/update edge
        edge_key = (src, dst)
        self.edges[edge_key] = self._update_edge(
            edge_key, flow.edge_features()
        )

        # Prune stale edges
        self._prune_stale_edges()

        return GraphUpdate(
            nodes=list(self.nodes.values()),
            edges=list(self.edges.values())
        )

    def _update_node(self, node_id, features):
        """Update node features using exponential moving average."""
        alpha = 0.1  # smoothing factor
        if node_id not in self.nodes:
            self.nodes[node_id] = NodeFeatures(
                features=features,
                ema_features=features.copy(),
                last_seen=time.time()
            )
        else:
            node = self.nodes[node_id]
            node.ema_features = (
                alpha * features + (1 - alpha) * node.ema_features
            )
            node.last_seen = time.time()
                

3.2 AGNN Architecture

The core of our framework is the Adaptive Graph Neural Network, which processes the dynamic graph representation to learn embeddings that capture both the structural and behavioral characteristics of each network entity. Our architecture extends standard Graph Convolutional Networks (GCNs) with three key enhancements:

Multi-Head Graph Attention Mechanism

We employ a multi-head attention mechanism that allows the model to attend to different aspects of the network topology simultaneously. Each attention head learns to weight the importance of neighboring nodes differently, enabling the model to capture diverse patterns such as protocol-specific behaviors, hierarchical relationships, and temporal dependencies.

For a node v with neighbors N(v), the attention-weighted aggregation is computed as:

h_v^(l+1) = σ( ⨁_k=1..K ∑_u∈N(v) α_uv^(k) W^(k)_(l) h_u^(l) )

Equation 1: Multi-head graph attention aggregation

where α_uv^(k) is the attention coefficient for the edge from node u to node v in head k, computed as:

α_uv^(k) = softmax_v( LeakyReLU( ⅆ^T [W^(k)_(l) h_v^(l) || W^(k)_(l) h_u^(l)] ) )

Equation 2: Attention coefficient computation

Input Layer

x₁

x₂

x₃

x₄

x₅

Graph Conv + Attention

GCN Layer 1

h₁

h₂

h₃

h₄

GCN + Adaptive Pooling

GCN Layer 2

h'₁

h'₂

h'₃

Temporal Encoder

Output

Benign

APT

Figure 2: AGNN architecture overview. The network processes input node features through two layers of graph convolution with multi-head attention, followed by adaptive pooling and temporal encoding before producing binary classification output.

Adaptive Feature Normalization

A critical challenge in enterprise network analysis is the non-stationary nature of network traffic. Workload patterns change throughout the day, seasonal variations affect traffic volume, and organizational changes (new employees, new systems) fundamentally alter the network topology. Standard normalization techniques (e.g., batch normalization) fail in this setting because they assume i.i.d. data.

We address this with Adaptive Feature Normalization (AFN), a layer that normalizes features relative to a running distribution estimate rather than a fixed batch or global statistics:

x̂_i = (x_i - μ_EMA) / (σ_EMA + ε)

Equation 3: Adaptive feature normalization

where μ_EMA and σ_EMA are exponential moving average estimates of the mean and standard deviation, updated with each new batch using a decay rate of 0.99.

3.3 Adaptive Learning Mechanism

The distinguishing feature of our AGNN framework is its ability to adapt to evolving network conditions and emerging threat patterns without requiring full model retraining. This is achieved through three complementary mechanisms:

Incremental Embedding Update

Rather than recomputing node embeddings from scratch for each time step, we maintain and incrementally update embeddings using a lightweight update rule:

e_v^(t) = (1 - λ) · e_v^(t-1) + λ · AGNN(G^(t), v)

Equation 4: Incremental embedding update (λ = 0.05)

This approach provides two benefits: (1) it significantly reduces computational cost by avoiding full graph re-encoding, and (2) it provides temporal smoothing that reduces sensitivity to transient anomalies that may be benign.

Anomaly Feedback Loop

When the system detects a novel anomaly pattern (anomaly score exceeds a high-confidence threshold), the pattern is queued for analyst review. Once confirmed as either a true positive or false positive, the labeled example is fed back into the training pipeline, and a lightweight fine-tuning step updates the model weights:

Python — Adaptive Feedback Loop

class AnomalyFeedbackLoop:
    """Continuously improves detection model through
    analyst-confirmed anomaly labels."""

    def __init__(self, model, lr=1e-4):
        self.model = model
        self.optimizer = Adam(model.parameters(), lr=lr)
        self.feedback_buffer = []
        self.min_samples = 5

    def ingest_feedback(self, graph_snapshot, label):
        """Store analyst-labeled anomaly for fine-tuning."""
        self.feedback_buffer.append((graph_snapshot, label))

        if len(self.feedback_buffer) >= self.min_samples:
            self.fine_tune()
            self.feedback_buffer.clear()

    def fine_tune(self):
        """Lightweight fine-tuning on recent feedback samples."""
        self.model.train()
        for snapshot, label in self.feedback_buffer:
            embeddings = self.model.forward(snapshot)
            loss = self.criterion(embeddings, label)
            loss.backward()
            self.optimizer.step()
            self.optimizer.zero_grad()
                

3.4 Temporal Modeling

While the AGNN captures the structural relationships in the network at each time step, APT detection fundamentally requires understanding the temporal sequence of activities. A single suspicious flow may be benign; a coordinated sequence of flows across multiple hosts and protocols reveals the APT campaign.

We model temporal dependencies using a Transformer-based sequence encoder that processes the sequence of graph-level embeddings produced by the AGNN over a sliding window of T time steps:

z = Transformer( [e^(t-T+1), e^(t-T+2), ..., e^(t)] )

Equation 5: Temporal sequence encoding

The Transformer encoder uses 6 layers with 8 attention heads, a feed-forward dimension of 512, and a dropout rate of 0.1. Positional encodings are sinusoidal and scaled by the square root of the embedding dimension. The final hidden state z is passed through a binary classifier (with sigmoid activation) to produce the APT detection score.

The detection score is calibrated using isotonic regression to provide well-calibrated probability estimates, enabling SOC analysts to set appropriate alert thresholds based on their risk tolerance.

4. Implementation

The AGNN framework is implemented in PyTorch with custom CUDA kernels for the graph attention mechanism, enabling real-time processing at enterprise scale. The system is deployed as a distributed microservice architecture within CyberVault's SOC infrastructure.

System Architecture

Flow Ingestion Layer: Apache Kafka cluster consuming netflow/IPFIX data from network taps and SPAN ports across all monitored subnets. Throughput: 500K+ flows/sec per shard.
Graph Construction Service: Distributed Flink jobs that maintain the adaptive graph representation in memory with Redis-backed persistence for fault tolerance.
AGNN Inference Engine: GPU-accelerated inference service using NVIDIA A100 GPUs with custom Triton Inference Server deployment. Batch size: 256 graph snapshots per inference call.
Temporal Encoding Service: CPU-based service for Transformer sequence encoding, processing 60-minute sliding windows with 5-minute granularity.
Alert Correlation Engine: Correlates AGNN detections with signals from other CyberVault modules (endpoint detection, threat intelligence, identity analytics) to produce unified alerts with enriched context.

🔧 Performance Optimization

Key optimizations include: (1) Sparse graph adjacency representation using CSR format, (2) Neighborhood sampling with 2-hop neighbors (avg. 15% of full graph), (3) Embedding caching with LRU eviction (cache hit rate: 87%), and (4) GPU kernel fusion combining graph convolution and attention into a single CUDA kernel. These optimizations enable sub-100ms end-to-end detection latency.

5. Evaluation

5.1 Results

We evaluate our AGNN framework on real-world enterprise network traffic collected from 12 organizations across finance, healthcare, technology, manufacturing, and government sectors. The dataset comprises 2.3 billion network flows spanning 18 months, including 847 confirmed APT campaigns (ground truth verified by SOC analysts).

📊 Dataset Statistics

12 organizations · 2.3B flows · 18 months · 847 confirmed APT campaigns · Average network size: 2,400 hosts · Protocols: TCP, UDP, ICMP, DNS, HTTPS, SMB, RDP, WMI, LDAP, Kerberos

Our evaluation measures the following metrics:

Detection Accuracy: Percentage of APT activities correctly identified
False Positive Rate (FPR): Percentage of benign activities incorrectly flagged
Detection Latency: Time between APT activity onset and detection
Stage Coverage: Percentage of MITRE ATT&CK stages detected
Adaptation Speed: Time to detect novel APT techniques not seen during training

Metric	AGNN (Ours)	TGNN*	GCN-ID*	Random Forest	Autoencoder
Accuracy	99.2%	97.8%	96.4%	93.1%	89.7%
False Positive Rate	0.03%	0.12%	0.28%	1.45%	3.21%
Detection Latency (ms)	47	123	89	34	156
Stage Coverage (%)	94.3%	87.1%	82.5%	71.2%	65.8%
Adaptation Speed (hours)	2.3	18.5	—	—	—
Throughput (flows/sec)	512K	340K	280K	1.2M	180K

*TGNN: Temporal Graph Neural Network (Wang et al., 2024). *GCN-ID: Graph Convolutional Network for Intrusion Detection (Zhang et al., 2023).

The results demonstrate that AGNN achieves state-of-the-art performance across all primary metrics. The 99.2% detection accuracy with only 0.03% FPR is particularly significant for enterprise deployment, where high false positive rates lead to alert fatigue and analyst burnout. The detection latency of 47ms enables near-real-time response, critical for containing APT activity during the early stages of an attack.

5.2 Ablation Study

We conduct an ablation study to quantify the contribution of each component in our framework:

Configuration	Accuracy	FPR	Latency
Full AGNN	99.2%	0.03%	47ms
− Multi-head attention	97.1%	0.08%	38ms
− Adaptive normalization	96.8%	0.15%	45ms
− Temporal encoder	94.3%	0.22%	32ms
− Incremental update	99.0%	0.03%	156ms
Static graph (baseline)	91.7%	0.89%	28ms

The ablation study reveals that the temporal encoder contributes the most to detection accuracy (4.9 percentage points), confirming that APT detection fundamentally requires understanding sequences of activity. The multi-head attention mechanism contributes 2.1 percentage points, while adaptive normalization primarily reduces false positives (0.12 percentage points reduction in FPR). The incremental update mechanism has minimal impact on accuracy but reduces latency by 70% (from 156ms to 47ms).

6. Case Study: Detecting a FIN7-Style APT Campaign

To illustrate the practical effectiveness of our AGNN framework, we present a detailed case study of a real APT campaign detected in a financial services organization. This campaign exhibited characteristics consistent with the FIN7 threat actor group, employing a multi-stage attack methodology targeting payment card systems.

Attack Timeline

The attack unfolded over 14 days across the following stages:

Day 1 (Initial Access): Spear-phishing email with malicious Excel attachment containing a macro that downloads a PowerShell payload from a Cobalt Strike C2 server.
Day 1-2 (Execution & Persistence): PowerShell executes credential harvesting via Mimikatz, establishes persistence through scheduled task, and exfiltrates domain admin credentials.
Day 3-7 (Lateral Movement): Adversary uses harvested credentials to move laterally via RDP and SMB, deploying additional implants on 23 hosts across 4 subnets.
Day 8-12 (Collection): Targeted data collection on payment processing systems, staging encrypted archives on a file server.
Day 13-14 (Exfiltration): Low-rate exfiltration (50 KB/min) of 2.3 GB of payment card data over encrypted HTTPS connections to a compromised cloud storage account.

AGNN Detection Analysis

The AGNN framework detected this campaign through a combination of structural and temporal anomalies:

Stage 1 Detection (Day 2, 23 hours post-infection): The graph attention mechanism identified an anomalous communication pattern between the compromised workstation (WS-147) and an external IP not previously observed in the network's communication graph. The attention weights for edges connecting WS-147 to external nodes were significantly elevated compared to the node's historical baseline, flagging the C2 communication.

Stage 2 Detection (Day 4): The temporal encoder identified a sequence of privilege escalation indicators across multiple hosts: unusual Kerberos authentication patterns followed by elevated SMB traffic between previously unconnected hosts. The sequence-level anomaly score exceeded the detection threshold, triggering an alert that correlated with the lateral movement activity.

Stage 3 Detection (Day 9): The adaptive mechanism detected a shift in communication patterns from the affected subnet to a file server, with data transfer volumes exceeding the exponential moving average by 3.2 standard deviations. The anomaly feedback loop had been updated with analyst-confirmed labels from the earlier stages, improving the model's sensitivity to data staging behavior.

Containment: By the time exfiltration began on Day 13, the AGNN framework had already identified the compromised hosts and data staging activity. CyberVault's SOC team, acting on AGNN alerts, contained the breach on Day 11 — before any data left the network.

📈 Case Study Results

This campaign would have taken an estimated 94 days to detect using traditional signature-based tools (based on industry averages). AGNN detected the initial compromise within 23 hours and identified the full campaign scope by Day 9, reducing the dwell time by 88%. Zero payment card data was exfiltrated.

7. Production Deployment

The AGNN framework is deployed as a core component of CyberVault's SOC platform, actively protecting over 500 enterprise clients. Key aspects of the production deployment include:

Scale

Monitored hosts: 1.2M+ across all clients
Daily flow volume: 8.4 billion network flows
Graph size: Average 2,400 nodes per enterprise graph, up to 50,000 for large organizations
Model parameters: 14.7 million (AGNN) + 28.3 million (Temporal Transformer)

Operational Metrics

Mean detection latency: 47ms (p99: 120ms)
Alert accuracy: 99.1% (measured over 30-day rolling window)
False positive rate: 0.03% (verified by SOC analyst review)
Mean time to adaptation: 2.3 hours for novel attack patterns
System uptime: 99.97% over the past 12 months

Integration

The AGNN system integrates with CyberVault's broader security ecosystem:

SIEM Integration: All alerts are forwarded to the SIEM in CEF/LEEF format with enriched context including MITRE ATT&CK mapping, affected assets, and recommended response actions.
SOAR Automation: High-confidence alerts trigger automated containment actions (host isolation, credential reset, firewall rule deployment) via CyberVault's SOAR platform.
Threat Intelligence: AGNN detections are correlated with CyberVault's threat intelligence feeds (internal IoC database, MISP integrations, and commercial TI feeds) to provide attribution and campaign context.

8. Conclusion

We have presented the Adaptive Graph Neural Network (AGNN) framework for real-time APT detection in enterprise networks. By modeling network traffic as a dynamic temporal graph and leveraging graph attention mechanisms with adaptive learning, our approach achieves state-of-the-art detection accuracy (99.2%) with minimal false positives (0.03%) and sub-100ms detection latency.

The key insight driving this work is that APT detection is fundamentally a graph-structured, temporal problem: understanding the relationships between network entities and the evolution of those relationships over time is essential for identifying the coordinated, multi-stage campaigns that characterize advanced threats. Traditional approaches that treat network flows as independent instances or assume static network topologies are fundamentally limited in their ability to address this challenge.

Our production deployment across 500+ enterprise clients has validated the practical effectiveness of this approach, demonstrating that graph-based deep learning can deliver measurable improvements in security outcomes at enterprise scale.

Future Work

Several directions for future research are promising:

Heterogeneous Graph Models: Extending AGNN to explicitly model different entity types (hosts, users, applications, files) and their interactions using heterogeneous graph neural networks.
Cross-Organizational Learning: Leveraging federated learning to improve detection capabilities across multiple organizations while preserving data privacy.
Explainability: Developing graph attention visualization techniques to provide SOC analysts with interpretable explanations for each detection, enabling faster triage and response.
Active Defense: Integrating AGNN with autonomous response systems to not only detect but actively disrupt APT campaigns in real-time.

The source code for the AGNN framework is available under an Apache 2.0 license at github.com/cybervault/agnn-apt-detection, along with the anonymized evaluation dataset and training scripts.

References

Petrova, E. & Kim, M. (2025). Adaptive Graph Neural Networks for Real-Time APT Detection in Enterprise Networks. CyberVault Research Report, Version 1.0.
Wang, H., Liu, Y., & Chen, X. (2024). Temporal Graph Neural Networks for Network Anomaly Detection. IEEE Transactions on Network and Service Management, 21(2), 1456-1469.
Zhang, R., Yang, J., & Li, K. (2023). GCN-ID: Graph Convolutional Networks for Intrusion Detection. ACM CCS '23, 1789-1805.
Kipf, T. N. & Welling, M. (2017). Semi-Supervised Classification with Graph Convolutional Networks. ICLR '17.
Vaswani, A. et al. (2017). Attention Is All You Need. NeurIPS '17.
Volkov, E. et al. (2024). The MITRE ATT&CK Enterprise Matrix v14. MITRE Corporation.
IBM Security. (2025). Cost of a Data Breach Report 2025. IBM Corporation.
CyberVault. (2025). Enterprise Threat Report 2025. CyberVault Research Division.
Battaglia, P. W. et al. (2018). Relational Inductive Biases, Deep Learning, and Graph Networks. arXiv:1806.01261.
Chen, W., Perov, Y., Li, Y., & Tang, J. (2021). Temporal Graph Networks for Deep Learning on Dynamic Graphs. ICLR Workshop '21.

💬 About the Authors

Dr. Elena Petrova is the Lead Research Scientist at CyberVault's AI Lab, where she leads the development of machine learning systems for network security. She holds a Ph.D. in Computer Science from Stanford University and has published over 40 peer-reviewed papers in machine learning and cybersecurity. Previously, she was a research scientist at Google Brain.

Marcus Kim, PhD is a Principal ML Engineer at CyberVault, specializing in graph-based deep learning and large-scale system design. He holds a Ph.D. from MIT CSAIL and has 12 years of experience building production ML systems. He is the primary architect of CyberVault's AGNN framework.