Anomaly detection is a critical task in cybersecurity, where identifying insider threats, access violations, and coordinated attacks is essential for ensuring system resilience. Graph-based approaches have become increasingly important for modeling entity interactions, yet most rely on homogeneous and static structures, which limits their ability to capture the heterogeneity and temporal evolution of real-world environments. Heterogeneous Graph Neural Networks (HGNNs) have emerged as a promising paradigm for anomaly detection by incorporating type-aware transformations and relation-sensitive aggregation, enabling more expressive modeling of complex cyber data. However, current research on HGNN-based anomaly detection remains fragmented, with diverse modeling strategies, limited comparative evaluation, and an absence of standardized benchmarks. To address this gap, we provide a comprehensive survey of HGNN-based anomaly detection methods in cybersecurity. We introduce a taxonomy that classifies approaches by anomaly type and graph dynamics, analyze representative models, and map them to key cybersecurity applications. We also review commonly used benchmark datasets and evaluation metrics, highlighting their strengths and limitations. Finally, we identify key open challenges related to modeling, data, and deployment, and outline promising directions for future research. This survey aims to establish a structured foundation for advancing HGNN-based anomaly detection toward scalable, interpretable, and practically deployable solutions.

翻译：异常检测是网络安全中的关键任务，识别内部威胁、访问违规和协同攻击对于确保系统韧性至关重要。基于图的方法在建模实体交互方面日益重要，但多数方法依赖于同质且静态的结构，这限制了其捕捉现实环境中异质性和时序演化特征的能力。异质图神经网络（HGNNs）通过引入类型感知变换和关系敏感聚合，实现了对复杂网络数据更具表达力的建模，已成为异常检测领域一种有前景的范式。然而，当前基于HGNN的异常检测研究仍较为零散，存在建模策略多样、比较评估有限以及缺乏标准化基准等问题。为填补这一空白，本文对网络安全中基于HGNN的异常检测方法进行了全面综述。我们提出了按异常类型和图动态特性分类的方法体系，分析了代表性模型，并将其映射到关键网络安全应用中。同时，本文回顾了常用基准数据集和评估指标，并指出其优势与局限。最后，我们识别了建模、数据和部署方面的核心开放挑战，并展望了未来研究的潜在方向。本综述旨在为推进基于HGNN的异常检测向可扩展、可解释且实际可部署的解决方案发展奠定结构化基础。