Traditional static Graph Neural Network (GNN) inference architectures fail to simultaneously achieve low latency and adaptability to bursty workloads in real-time provenance-graph-based intrusion detection. Method: This paper proposes the first serverless architecture tailored for GNN inference, decoupling the GNN inference pipeline and migrating it to a Function-as-a-Service (FaaS) environment. It integrates graph data sharding, fine-grained function-level parallelism, and dynamic elastic scaling to enable on-demand decoupling of computational resources from graph processing tasks. Contribution/Results: Experiments demonstrate that our approach reduces average detection latency by 85% and decreases the coefficient of latency variation by 64% compared to baseline methods. This significantly enhances both real-time responsiveness and system stability under dynamic network traffic conditions.

Provenance-based intrusion detection is an increasingly popular application of graphical machine learning in cybersecurity, where system activities are modeled as provenance graphs to capture causality and correlations among potentially malicious actions. Graph Neural Networks (GNNs) have demonstrated strong performance in this setting. However, traditional statically-provisioned GNN inference architectures fall short in meeting two crucial demands of intrusion detection: (1) maintaining consistently low detection latency, and (2) handling highly irregular and bursty workloads. To holistically address these challenges, we present GraphFaaS, a serverless architecture tailored for GNN-based intrusion detection. GraphFaaS leverages the elasticity and agility of serverless computing to dynamically scale the GNN inference pipeline. We parallelize and adapt GNN workflows to a serverless environment, ensuring that the system can respond in real time to fluctuating workloads. By decoupling compute resources from static provisioning, GraphFaaS delivers stable inference latency, which is critical for dependable intrusion detection and timely incident response in cybersecurity operations. Preliminary evaluation shows GraphFaaS reduces average detection latency by 85% and coefficient of variation (CV) by 64% compared to the baseline.