From Flow Features to Communication Topology: Adaptive Graph Attention Network-Based IoMT Intrusion Detection

Graph neural networks have been increasingly explored for network intrusion detection, yet the effect of graph construction strategy on detection performance remains underexamined, particularly for IoMT networks. In this study, we systematically investigate how data representation, graph construction, evaluation protocol, and task formulation shape the effectiveness of graph-based intrusion detection on the CICIoMT2024 benchmark data. We compare three representation strategies: flow-level tabular features, feature-similarity graphs, and PCAP-derived communication-topology graphs constructed from raw packet captures. We further examine the effect of domain-typed edge augmentation, PCAP-level validation protocols, and task decomposition into topology-heavy and protocol-heavy attack categories. Our results show that feature-similarity graphs provide no reliable advantage over Random Forest baselines, whereas PCAP-derived communication topology enables GNNs to become competitive on topology-heavy attacks. Third, domain-aware edge typing improves both performance and stability. Fourth, under proper PCAP-level validation with session-aware splits, previously reported gains diminish substantially, underscoring the importance of evaluation protocol. Fifth, in our experiments on this dataset, GNN effectiveness depends on attack category: topology-heavy attacks (DDoS, DoS, Recon) benefit from graph modeling, while protocol-heavy attacks (MQTT, Spoofing) do not. Across five random seeds, a domain-typed Adaptive Edge-Weighted GAT achieves a macro-F1 of 0.800 ± 0.026 on the topology-heavy subset, compared with 0.784 ± 0.020 for Random Forest. These results suggest that in IoMT intrusion detection, representation of choice and evaluation protocol matter more than architectural complexity.