To address the challenge of unsupervised anomaly detection in dynamic temporal graph edge streams—characterized by pronounced concept drift, massive data volume, and stringent real-time requirements—this paper proposes a novel learning framework. Methodologically, it jointly embeds nodes and edges via a graph neural network (GNN) and employs a half-space tree (HST) to efficiently partition the latent embedding space and compute anomaly scores. Furthermore, it introduces a lightweight, label-efficient adaptive thresholding mechanism, enhanced by statistical dispersion analysis to improve decision robustness. Extensive experiments on real-world network intrusion datasets demonstrate that the proposed method consistently outperforms state-of-the-art baselines in detection accuracy, while maintaining low time and space complexity and exhibiting strong generalization across diverse, high-dynamic, large-scale graph stream scenarios.

Many real-world scenarios involving streaming information can be represented as temporal graphs, where data flows through dynamic changes in edges over time. Anomaly detection in this context has the objective of identifying unusual temporal connections within the graph structure. Detecting edge anomalies in real time is crucial for mitigating potential risks. Unlike traditional anomaly detection, this task is particularly challenging due to concept drifts, large data volumes, and the need for real-time response. To face these challenges, we introduce ARES, an unsupervised anomaly detection framework for edge streams. ARES combines Graph Neural Networks (GNNs) for feature extraction with Half-Space Trees (HST) for anomaly scoring. GNNs capture both spike and burst anomalous behaviors within streams by embedding node and edge properties in a latent space, while HST partitions this space to isolate anomalies efficiently. ARES operates in an unsupervised way without the need for prior data labeling. To further validate its detection capabilities, we additionally incorporate a simple yet effective supervised thresholding mechanism. This approach leverages statistical dispersion among anomaly scores to determine the optimal threshold using a minimal set of labeled data, ensuring adaptability across different domains. We validate ARES through extensive evaluations across several real-world cyber-attack scenarios, comparing its performance against existing methods while analyzing its space and time complexity.