Anomaly detection is a critical task in cybersecurity, where identifying insider threats, access violations, and coordinated attacks is essential for ensuring system resilience. Graph-based approaches have become increasingly important for modeling entity interactions, yet most rely on homogeneous and static structures, which limits their ability to capture the heterogeneity and temporal evolution of real-world environments. Heterogeneous Graph Neural Networks (HGNNs) have emerged as a promising paradigm for anomaly detection by incorporating type-aware transformations and relation-sensitive aggregation, enabling more expressive modeling of complex cyber data. However, current research on HGNN-based anomaly detection remains fragmented, with diverse modeling strategies, limited comparative evaluation, and an absence of standardized benchmarks. To address this gap, we provide a comprehensive survey of HGNN-based anomaly detection methods in cybersecurity. We introduce a taxonomy that classifies approaches by anomaly type and graph dynamics, analyze representative models, and map them to key cybersecurity applications. We also review commonly used benchmark datasets and evaluation metrics, highlighting their strengths and limitations. Finally, we identify key open challenges related to modeling, data, and deployment, and outline promising directions for future research. This survey aims to establish a structured foundation for advancing HGNN-based anomaly detection toward scalable, interpretable, and practically deployable solutions.

翻译：异常检测是网络安全中的关键任务，识别内部威胁、访问违规和协同攻击对于确保系统韧性至关重要。基于图的方法在建模实体交互方面日益重要，但大多数方法依赖同质静态结构，这限制了其捕捉真实环境异质性和时序演化的能力。异构图神经网络（HGNN）通过引入类型感知变换和关系敏感聚合机制，已成为异常检测领域颇具前景的范式，能够对复杂网络数据进行更具表达力的建模。然而，当前基于HGNN的异常检测研究仍较为碎片化，存在多种建模策略、比较评估有限且缺乏标准化基准的问题。为弥补这一空白，本文对网络安全领域中基于HGNN的异常检测方法进行了系统性综述。我们提出了一种分类体系，按异常类型和图动态性对方法进行归类，分析代表性模型，并将其映射至关键网络安全应用场景。同时，本文回顾了常用的基准数据集与评估指标，指出了其优势与局限性。最后，我们识别了建模、数据与部署方面的关键公开挑战，并展望了未来研究的可行方向。本综述旨在为推进基于HGNN的异常检测方法迈向可扩展、可解释且切实可部署的解决方案奠定结构化基础。