Abstract: The Industrial Internet is an important part of the national critical information infrastructure. Enabling comprehensive interconnectivity among humans, machines, and Internet of Things devices allows the formation of a new architecture of industrial production, manufacturing, and service. However, a great number of security vulnerabilities exist in industrial devices, especially legacy industrial devices. They can be maliciously exploited during device interconnection, causing severe security incidents or economic losses. Among the major security threats facing the Industrial Internet today, botnet attacks are particularly concerning. By exploiting zero-day vulnerabilities (e.g., buffer overflows in the programmable logic controller firmware) and propagating and deploying polymorphic malware, attackers can covertly hijack a large number of networked devices and recruit compromised devices into botnets to launch coordinated large-scale attacks on target networks. However, traditional botnet detection methods (e.g., rule-, threshold-, and machine learning-based methods) have significant limitations. Rule- and threshold-based botnet detection techniques, which depend heavily on static signatures (e.g., known malicious Internet Protocol lists) or predefined detection thresholds, face challenges in adapting to the dynamic nature of complex network environments, ultimately leading to constrained detection capabilities. Meanwhile, it is not easy for traditional machine learning-based detection techniques to process complex and high-dimensional network communication features effectively, resulting in poor detection performance. Deep learning-based detection techniques, which generally treat network traffic as isolated time-series or spatial data, fail to model the topological dependencies between devices in complex communication networks; this is a key limitation in identifying coordinated botnet behaviors (e.g., synchronized command-and-control communications). To address these challenges, we leverage the pervasive device-to-device connectivity in the Industrial Internet by modeling the communication network as a graph structure, where nodes represent devices and edges represent communication relationships between devices to achieve accurate topology representation. Based on the graph model, we propose a novel approach for detecting botnet anomalous communication based on graph neural network (GNN)-enhanced communication features. First, our method extracts fine-grained node and communication features from network traffic data and employs a GNN to propagate and aggregate node information across the entire network. By capturing topological dependencies, the method can generate more accurate aggregated node feature representations. In this step, the multihead attention mechanism is integrated with the GNN to perform weighted aggregation of node features in diverse ways, enhancing the flexibility of node feature representation. Afterward, the aggregated node features are used to enhance communication features. Finally, a multilayer perceptron model is used to classify the enhanced communication features into the normal or abnormal categories, thus achieving automatic detection of botnet anomalous communication. To validate the effectiveness of the proposed approach, we conducted a series of experiments on a public large-scale dataset, CTU-13, which includes 13 distinct botnet attack scenarios. We compared the proposed approach against a group of baseline methods, including a convolutional neural network (CNN), long short-term memory (LSTM), CNN-LSTM, and the recently proposed Bot-DM method, across a comprehensive set of metrics such as accuracy, recall, precision, and F1-score. The experimental results demonstrate that our approach outperforms existing botnet detection methods in detection performance.