Method for detecting SDN flow table overflow attack based on multi-edge graph

By constructing directed multi-sided heterogeneous graphs and graph neural networks, the problems of insufficient accuracy and path tracing capability in SDN flow table overflow attack detection are solved, enabling efficient identification and early warning of complex and dynamic attacks, and improving the security and stability of SDN networks.

CN122268599APending Publication Date: 2026-06-23GUIZHOU UNIV

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
GUIZHOU UNIV
Filing Date
2024-12-19
Publication Date
2026-06-23

AI Technical Summary

Technical Problem

Existing SDN flow table overflow attack detection methods suffer from insufficient detection accuracy, inability to handle dynamic and complex attack patterns, and lack of comprehensive attack path tracing capabilities, leading to false positives, false negatives, and network performance degradation.

Method used

A method for detecting SDN flow table overflow attacks based on multi-sided graphs is adopted. By constructing a directed multi-sided heterogeneous graph and combining it with graph neural networks for sampling and learning, the method uses the edge attention mechanism to dynamically adjust the influence of network flow on node states, track the attack path and locate the attack source.

Benefits of technology

It improves the accuracy and robustness of detection, enhances the adaptability to complex and dynamic attack patterns, enables precise attack path tracing and early warning, and improves network security and reliability.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122268599A_ABST
    Figure CN122268599A_ABST
Patent Text Reader

Abstract

The application relates to the field of network communication technology and discloses a multi-edge graph-based SDN flow table overflow attack detection method.The technical scheme is as follows: when the collected SDN network state value exceeds a set threshold value, network control information is collected, and statistical characteristics are extracted; a directed multi-edge heterogeneous graph is obtained according to the statistical characteristics; the directed multi-edge heterogeneous graph is input into a detection model based on a graph neural network, and the edges and nodes of the directed multi-edge heterogeneous graph are sampled and learned; according to the generated directed multi-edge heterogeneous graph, the SDN network is divided into normal flow and abnormal flow; and according to the abnormal flow, the propagation path of the attack in the SDN network is tracked, and the attack source is located.The application is suitable for application in the work of attack detection in the SDN network.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of network communication technology, and in particular to a method for detecting SDN flow table overflow attacks based on polygon graphs. Background Technology

[0002] With the continuous development of computer network technology, the complexity and scale of network architectures are constantly expanding, and traditional network architectures are gradually revealing many problems. To address these challenges, Software-Defined Networking (SDN) has emerged. As a new network architecture, it decouples network control from data forwarding functions, using a centralized controller to manage and configure the entire network in a unified manner. SDN's flexibility and programmability make network management more efficient and can quickly respond to dynamically changing needs. However, with the widespread application of SDN, its security issues are becoming increasingly prominent, especially in dealing with various attacks targeting SDN architectures, where existing protection technologies have certain shortcomings.

[0003] Currently, security research on SDN mainly focuses on the following aspects:

[0004] Saturation Attack Detection: In SDN, the data plane forwards packets via commands from the control plane, and switches use Tri-State Content Addressable Memory (TCAM) to store flow table entries. However, TCAM storage space is limited, restricting the number of flow table entries. A flow table overflow attack sends a large number of packets that cannot match existing flow table entries to the switch, causing the switch to quickly exhaust its flow table entries. Ultimately, this prevents the switch from processing new packets, resulting in a sharp decline in network performance and even network paralysis. Therefore, how to detect and prevent flow table overflow attacks in real time has become an important research topic in the field of SDN security.

[0005] Existing methods for detecting flow table overflow attacks primarily rely on traffic monitoring and statistical analysis. For example, some traffic analysis-based techniques determine the risk of flow table overflow attacks by monitoring abnormal fluctuations in network traffic in real time. However, these methods are prone to false positives or false negatives when faced with highly complex network traffic or spoofed attack packets, and cannot effectively distinguish between normal and attack traffic.

[0006] Anomaly Detection Based on Graph Neural Networks: Graph Neural Networks (GNNs) have demonstrated powerful capabilities in learning and detecting anomalies in graph-structured data in recent years. Devices and traffic in SDN networks can be naturally mapped to graph structures, leading some researchers to attempt to use GNNs for traffic analysis and attack detection. For example, the E-GraphSAGE model has been used to learn the relationships between nodes and edges to detect anomalous behavior. However, most of these methods can only handle static network topologies or simple traffic patterns, and they struggle to cope with dynamic and strategically sophisticated attacks such as flow table overflow attacks.

[0007] Controller status monitoring and automatic response: Some controller-based monitoring methods periodically collect and analyze the status of SDN controllers to detect potential abnormal behaviors in the network. Controllers can periodically monitor flow table information, switch status, etc., to promptly detect potential flow table overflow attacks. However, most existing methods of this type rely on relatively simple rules and thresholds, lacking sufficient intelligent analysis and are vulnerable to attackers masquerading or changing their attack strategies.

[0008] Despite some progress in detecting SDN flow table overflow attacks, the following issues remain:

[0009] Insufficient detection accuracy: Existing methods based on traffic statistics and controller monitoring often fail to accurately distinguish between normal traffic and attack traffic, resulting in serious false alarms and missed alarms, which affect the security and reliability of the network.

[0010] Unable to handle dynamic and complex attack patterns: Flow table overflow attacks are often strategic, with attackers able to disguise attack traffic or circumvent traditional traffic monitoring methods through various means. Existing models based on simple rules or static graph structures often cannot cope with these complex and dynamic attack patterns.

[0011] Lack of comprehensive attack path tracing capabilities: Most existing methods focus on the statistical characteristics of traffic or simple anomaly detection. However, in practical applications, the source and attack path of flow table overflow attacks may be complex. Existing monitoring methods cannot effectively trace the source and path of the attack, making it difficult to respond in a timely manner. Summary of the Invention

[0012] To address the shortcomings of existing technologies, which, while making some progress in SDN flow table overflow attack detection, still suffer from insufficient detection accuracy, inability to handle dynamic and complex attack patterns, and a lack of comprehensive attack path tracing capabilities, the present invention provides the following technical solution:

[0013] A method for detecting SDN flow table overflow attacks based on multi-sided graphs includes:

[0014] When the collected SDN network status values ​​exceed a set threshold, the process begins to collect network control information and extract statistical features.

[0015] The steps to obtain the directed polygonal heterogeneous graph based on the statistical characteristics;

[0016] The steps include inputting the directed polygonal heterogeneous graph into a detection model based on a graph neural network, and sampling and learning the edges and nodes of the directed polygonal heterogeneous graph.

[0017] The step of dividing the SDN network into normal flow and abnormal flow based on the directed multilateral heterogeneous graph generated by the graph neural network-based detection model;

[0018] The steps involve tracing the propagation path of the attack in the SDN network and locating the source of the attack based on the abnormal flow.

[0019] Furthermore, a preferred embodiment is provided, wherein the network control information includes: flow rule information, packet-in messages, switch information, flow table information, and network topology information.

[0020] Furthermore, a preferred implementation method is provided, which uses a periodic acquisition method to collect network control information.

[0021] Furthermore, a preferred embodiment is provided, wherein, based on the statistical characteristics, the nodes of the resulting directed multi-edge heterogeneous graph include switch nodes and host nodes, the edges include network flows, the node characteristics include statistical characteristics of flow table information, switch information and packet-in messages, and the edge characteristics include statistical characteristics of flow rule information.

[0022] Furthermore, a preferred implementation is provided, in which the edges and nodes of the directed multi-sided heterogeneous graph are sampled and learned using the E-GraphSAGE model.

[0023] Furthermore, a preferred embodiment is provided, which involves sampling and learning the edges and nodes of the directed multi-sided heterogeneous graph, calculating the influence weight of network flow on node state through an edge attention mechanism, updating the features of nodes and edges, and training the detection model based on the graph neural network.

[0024] Based on the same inventive concept, this invention also provides an SDN flow table overflow attack detection device based on polygonal graphs, comprising:

[0025] When the collected SDN network status values ​​exceed a set threshold, the module begins to collect network control information and extract statistical features.

[0026] Based on the statistical characteristics, a module for a directed polygonal heterogeneous graph is obtained;

[0027] The module that inputs the directed polygonal heterogeneous graph into a detection model based on a graph neural network and samples and learns the edges and nodes of the directed polygonal heterogeneous graph;

[0028] Based on the directed multilateral heterogeneous graph generated by the graph neural network-based detection model, the SDN network is divided into modules for normal flow and abnormal flow.

[0029] The module that tracks the propagation path of the attack in the SDN network and locates the source of the attack based on the abnormal flow.

[0030] Based on the same inventive concept, the present invention also provides a computer storage medium for storing a computing program, wherein when the computer reads the computer program, the computer executes the method described thereon.

[0031] Based on the same inventive concept, the present invention also provides a computer, including a processor and a storage medium, wherein when the processor reads a computer program stored in the storage medium, the computer executes the method described thereon.

[0032] Based on the same inventive concept, the present invention also provides a computer program product, which, when executed, implements the method described.

[0033] Compared with the prior art, the advantages of the technical solution provided by the present invention are as follows:

[0034] The present invention solves several technical problems in the prior art through a polygonal graph-based SDN flow table overflow attack detection method, and its effects are mainly reflected in the following aspects:

[0035] Improved the accuracy and robustness of detection:

[0036] This invention employs a directed multi-edge heterogeneous graph as the foundational structure for attack detection, enabling the full expression and analysis of the complex relationships between network traffic and network devices. Compared to traditional methods based on traffic statistics or simple threshold monitoring, graph-based analysis can better reveal subtle differences in traffic patterns. In particular, the introduction of edge representation learning and E-GraphSAGE graph neural networks allows for dynamic updates of network node and edge features, further improving the accuracy of attack identification and reducing false positives and false negatives. This innovation overcomes the problem of existing traffic monitoring technologies being susceptible to attack traffic spoofing, significantly improving the robustness of detection.

[0037] Enhanced adaptability to complex and dynamic attack patterns:

[0038] Existing detection methods based on rules or static graph structures often fail to adapt to changing attack patterns when dealing with complex flow table overflow attacks. In contrast, this invention employs an edge attention mechanism to dynamically adjust the impact of different network flows on node states, enabling the model to flexibly respond to different types of attacks. When attack patterns change, the edge attention mechanism can automatically adjust weights based on real-time traffic characteristics, thereby enhancing the detection method's adaptability to dynamic and complex attack patterns. This feature allows the scheme to maintain high detection accuracy even when attackers employ camouflaged traffic or other evasion techniques.

[0039] It achieves precise attack path tracing and attack source location:

[0040] Traditional flow table overflow attack detection methods primarily focus on the statistical characteristics of abnormal traffic, lacking the ability to trace attack paths and sources. This invention, by constructing a directed polygonal heterogeneous graph and combining it with a graph neural network-based learning method, can effectively trace the propagation path of attack traffic and accurately locate the attack source. This method not only improves the accuracy of flow table overflow attack detection but also provides effective data support for subsequent security responses. Compared to existing monitoring techniques based on simple rules, the path tracing capability of this scheme enables SDN networks to take timely protective measures in the early stages of an attack, reducing potential losses.

[0041] Enhanced early warning capabilities for flow table overflow attacks:

[0042] This invention periodically monitors the SDN network status and, in conjunction with network topology, flow rules, and switch information, identifies potential abnormal traffic behavior before an attack occurs. By setting thresholds, the controller can issue timely alerts and collect data for further analysis, avoiding the delayed response issues common in traditional methods. This technology enables the SDN controller to take preventative measures in the early stages of an attack, effectively reducing the impact of flow table overflow attacks on the network. Compared to existing technologies based on traffic monitoring and rule analysis, this early warning capability significantly improves the foresight of network defense.

[0043] This improves the scalability and flexibility of the detection method.

[0044] This invention proposes a flow table overflow attack detection method based on polygonal graphs. By leveraging graph neural network (GNN) model training, the system can flexibly adjust its detection strategy according to changes in the actual network environment. Compared to traditional rule-based or static graph structure-based detection methods, the GNN-based method maintains high detection efficiency and flexibility even as the network scales up or its topology changes. The GNN model can learn the underlying patterns in the network and continuously improve detection accuracy through training. This makes the proposed solution more adaptable and capable of handling SDN networks of varying sizes and complexities.

[0045] Suitable for use in attack detection in SDN networks. Attached Figure Description

[0046] Figure 1 Here is a flowchart of an SDN flow table overflow attack detection method based on polygonal graphs;

[0047] Figure 2 A flowchart for the directed polygon heterogeneous graph generation process of the SDN flow table overflow attack detection method based on polygon graphs;

[0048] Figure 3 This is a flowchart of the network flow detection process for the SDN flow table overflow attack detection method based on polygonal graphs. Detailed Implementation

[0049] To make the advantages of the technical solution provided by the present invention clearer, the technical solution provided by the present invention will now be described in further detail with reference to the accompanying drawings, specifically:

[0050] Implementation Method 1: This implementation method provides a method for detecting SDN flow table overflow attacks based on polygonal graphs, including:

[0051] When the collected SDN network status values ​​exceed a set threshold, the process begins to collect network control information and extract statistical features.

[0052] The steps to obtain the directed polygonal heterogeneous graph based on the statistical characteristics;

[0053] The steps include inputting the directed polygonal heterogeneous graph into a detection model based on a graph neural network, and sampling and learning the edges and nodes of the directed polygonal heterogeneous graph.

[0054] The step of dividing the SDN network into normal flow and abnormal flow based on the directed multilateral heterogeneous graph generated by the graph neural network-based detection model;

[0055] The steps involve tracing the propagation path of the attack in the SDN network and locating the source of the attack based on the abnormal flow.

[0056] Specifically:

[0057] include:

[0058] Step 1: Periodically monitor the SDN network status

[0059] First, the controller is activated, and it periodically monitors the status parameters of the SDN network. By analyzing the network status values, if the monitored values ​​exceed a preset security threshold, it is determined that there may be a risk of flow table overflow attacks.

[0060] The controller continuously monitors the network status to determine if there is any attack risk.

[0061] Detailed description:

[0062] The controller collects information including flow rules, packet-in messages, flow table information, switch information, and network topology information.

[0063] When the network status value exceeds the threshold, the subsequent attack detection process is initiated; otherwise, network status monitoring continues.

[0064] Step 2: Data Acquisition and Preprocessing

[0065] After detecting a potential risk, the controller begins to periodically collect network information and preprocess the information to generate statistical features.

[0066] Collect network information and generate feature data.

[0067] Detailed description:

[0068] Information collection: Collect flow rule statistics, packet-in messages, switch status information, flow table status information, and network topology information.

[0069] Data preprocessing: The collected data is processed using statistical methods to calculate the statistical characteristics of each piece of information, such as the matching rate of flow rules, the occupancy rate of flow tables, and the load of switches.

[0070] Step 3: Generate a directed multi-sided heterogeneous graph

[0071] Based on the preprocessed network information, construct a directed multilateral heterogeneous graph that reflects the current network state.

[0072] Construct a network topology graph to represent the relationships between devices and flows in the network.

[0073] Detailed description:

[0074] By treating network devices (such as switches and hosts) as nodes and network flows as edges, a directed multi-edge heterogeneous graph is generated.

[0075] Statistical features are used as feature values ​​for nodes and edges, where:

[0076] The characteristics of a switch node include statistical features of flow table statistics and switch status information.

[0077] The characteristics of the host node include the statistical characteristics of packet-in messages.

[0078] The characteristics of the edges include the statistical features of the flow rule information.

[0079] Step 4: Edge Representation Learning and Feature Update

[0080] The generated directed polygonal graph is input into a graph neural network (GNN)-based model for edge representation learning, updating the node and edge features of the graph.

[0081] The graph neural network is used to learn the feature relationships between nodes and edges.

[0082] Detailed description:

[0083] The E-GraphSAGE model is used to sample and aggregate node and edge features.

[0084] An edge attention mechanism is introduced to calculate the degree of influence of different network flows on the node state.

[0085] After updating the node features, they are appropriately assigned to relevant edges to ensure that the edge features contain both their own information and the information of the connecting nodes.

[0086] Step 5: Model Training and Detection

[0087] The generated directed multilateral heterogeneous graph is trained and tested to detect flow table overflow attacks.

[0088] Train a graph neural network model to detect abnormal flows.

[0089] Detailed description:

[0090] The generated graph is divided into a training set and a test set.

[0091] In the training set, subgraphs are divided according to edge type, and node and edge features are learned using heterogeneous E-GraphSAGE and homogeneous E-GraphSAGE models respectively.

[0092] Calculate the edge loss function for each subgraph, sum the edge losses of all subgraphs to form the overall model loss function, and train the model through backpropagation until convergence.

[0093] The performance of the trained model is evaluated using a test set, and the detection results are output.

[0094] Step Six: Locating the Attack Source and Path

[0095] Based on the detection results, the network flow was divided into normal flow and abnormal flow, and the path and source of the flow table overflow attack were further located.

[0096] Based on the detection results, normal and abnormal flows are distinguished, and attack paths are traced.

[0097] Detailed description:

[0098] Detected abnormal flows are marked as potential attack flows.

[0099] By combining the topological information of the directed multilateral heterogeneous graph, the propagation path of the abnormal flow is traced, and the source node and specific path of the attack are finally determined.

[0100] Implementation Method 2: This implementation method further defines the SDN flow table overflow attack detection method based on polygon graphs provided in Implementation Method 1. The network control information includes: flow rule information, packet-in messages, switch information, flow table information, and network topology information.

[0101] Implementation Method 3: This implementation method further defines the SDN flow table overflow attack detection method based on polygon graphs provided in Implementation Method 1. It adopts a periodic collection method to collect network control information.

[0102] Implementation Method 4: This implementation method further defines the SDN flow table overflow attack detection method based on multi-sided graphs provided in Implementation Method 1. According to the statistical characteristics, the nodes of the obtained directed multi-sided heterogeneous graph include switch nodes and host nodes, the edges include network flows, the node characteristics include statistical characteristics of flow table information, switch information and packet-in messages, and the edge characteristics include statistical characteristics of flow rule information.

[0103] Implementation Method 5: This implementation method further defines the SDN flow table overflow attack detection method based on polygonal graphs provided in Implementation Method 1. It uses the E-GraphSAGE model to sample and learn the edges and nodes of the directed polygonal heterogeneous graph.

[0104] Implementation Method Six: This implementation method further defines the SDN flow table overflow attack detection method based on multi-sided graphs provided in Implementation Method One. It involves sampling and learning the edges and nodes of the directed multi-sided heterogeneous graph, calculating the influence weight of network flow on node state through the edge attention mechanism, updating the features of nodes and edges, and training the detection model based on graph neural network.

[0105] Implementation Method Seven: This implementation method provides an SDN flow table overflow attack detection device based on polygonal graphs, including:

[0106] When the collected SDN network status values ​​exceed a set threshold, the module begins to collect network control information and extract statistical features.

[0107] Based on the statistical characteristics, a module for a directed polygonal heterogeneous graph is obtained;

[0108] The module that inputs the directed polygonal heterogeneous graph into a detection model based on a graph neural network and samples and learns the edges and nodes of the directed polygonal heterogeneous graph;

[0109] Based on the directed multilateral heterogeneous graph generated by the graph neural network-based detection model, the SDN network is divided into modules for normal flow and abnormal flow.

[0110] The module that tracks the propagation path of the attack in the SDN network and locates the source of the attack based on the abnormal flow.

[0111] Implementation Method 8: This implementation method provides a computer storage medium for storing a computing program. When the computer reads the computer program, the computer executes the method provided in Implementation Method 1.

[0112] Implementation Method Nine: This implementation method provides a computer, including a processor and a storage medium. When the processor reads a computer program stored in the storage medium, the computer executes the method provided in Implementation Method One.

[0113] Implementation Method 10: This implementation method provides a computer program product. As a computer program, when the computer program is executed, it implements the method provided in Implementation Method 1.

[0114] Implementation Method Eleven: Combination Figure 1-3 This embodiment describes the technical solution provided above in further detail through specific examples. Specifically:

[0115] Figure 1 This is a flowchart of an SDN flow table overflow attack detection method based on polygonal graphs;

[0116] The SDN flow table overflow attack detection method based on polygonal graphs includes the following steps:

[0117] In step S1, the controller periodically acquires the current network state. When the acquired current network state value exceeds the set threshold, it is considered that a flow table overflow attack may occur, and the controller begins to collect network information for the current period and subsequent periods. The data collected in each period are used to construct a directed multilateral heterogeneous graph.

[0118] In step S2, after obtaining the directed multilateral heterogeneous graph, the graph is sent to the SDN flow table overflow attack detection model based on the multilateral graph to detect the network flow in the graph, and the flow table overflow attack source and path are found based on the detection results.

[0119] Specifically,

[0120] like Figure 2 As shown, the specific steps for generating a directed multi-sided heterogeneous graph are as follows:

[0121] Step D1: After the controller starts, it begins to periodically monitor the current SDN network status.

[0122] Step D2: If the current SDN network state value exceeds the pre-set threshold, it is considered that a flow table overflow attack may occur; otherwise, proceed to step D1.

[0123] Step D3: The controller begins to periodically acquire flow rule information, packet-in messages, flow table information, switch information, and network topology information;

[0124] Step D4: Preprocess the flow rule information and packet-in messages using statistical methods to calculate statistical characteristics;

[0125] Step D5: Preprocess the flow table information and switch information using statistical methods and calculate statistical characteristics;

[0126] Step D6: Use network topology information to generate nodes of a directed multilateral heterogeneous graph, and use the statistical features described in step D4 as features of host nodes and the statistical features described in step D5 as features of switch nodes.

[0127] Step D7: Generate edges using network topology information and flow rule information, and use the statistical characteristics of flow rule information as the features of the edges;

[0128] Step D8: Generate a directed multi-edge heterogeneous graph based on the existing graph nodes and edges.

[0129] like Figure 3 As shown, when using a multi-sided graph-based SDN flow table overflow attack detection model, the specific steps for model training and detection are as follows:

[0130] Step D1: Divide the obtained directed polygonal heterogeneous graph into a training set and a test set;

[0131] Step D2: Divide the test set data into subgraphs according to edge type;

[0132] Step D3: Use the edge attention mechanism to obtain the attention weights of edge pairs to nodes;

[0133] Step D4: If the current subgraph is a heterogeneous subgraph, use the heterogeneous E-GraphSAGE model to sample and learn the features of neighboring nodes and edges to obtain new node features; otherwise, proceed to step D5.

[0134] Step D5: Use the isomorphic E-GraphSAGE model to learn the features of neighboring nodes and edges to obtain new node features;

[0135] Step D6: Assign new node features to edges using the calculated attention weights between edge pairs, and learn new edge features;

[0136] Step D7: Sum the edge loss functions of the subgraphs to form the overall loss function of the model;

[0137] Step D8: Backpropagate to train the model and obtain the trained model;

[0138] Step D9: Test the trained model using the test set;

[0139] Step D10: Obtain the test results;

[0140] Step D11: Locate the flow table overflow attack path and flow table overflow attack source based on the detection results.

[0141] The SDN flow table overflow attack detection method based on polygonal graph proposed in this invention effectively detects flow table overflow attacks by utilizing the real-time monitoring status of the SDN network, network statistical characteristics, the generated directed polygonal heterogeneous graph, and the edge classification graph neural network model. This improves the ability of the graph structure to display the complete network status and enhances the accuracy of the model in detecting flow table overflow attacks, thereby reducing the impact of flow table overflow attacks on network forwarding performance and improving the overall stability and security of the network.

[0142] The above description of several specific embodiments further details the technical solution provided by the present invention in order to highlight the advantages and benefits of the technical solution provided by the present invention. However, the above-described specific embodiments are not intended to limit the present invention. Any reasonable modifications and improvements to the present invention, combinations of embodiments, and equivalent substitutions based on the spirit and principles of the present invention should be included within the protection scope of the present invention.

Claims

1. A method for detecting SDN flow table overflow attacks based on polygonal graphs, characterized in that, include: When the collected SDN network status values ​​exceed a set threshold, the process begins to collect network control information and extract statistical features. The steps to obtain the directed polygonal heterogeneous graph based on the statistical characteristics; The steps include inputting the directed polygonal heterogeneous graph into a detection model based on a graph neural network, and sampling and learning the edges and nodes of the directed polygonal heterogeneous graph. The step of dividing the SDN network into normal flow and abnormal flow based on the directed multilateral heterogeneous graph generated by the graph neural network-based detection model; The steps involve tracing the propagation path of the attack in the SDN network and locating the source of the attack based on the abnormal flow.

2. The SDN flow table overflow attack detection method based on polygonal graphs according to claim 1, characterized in that, The network control information includes: flow rule information, packet-in messages, switch information, flow table information, and network topology information.

3. The SDN flow table overflow attack detection method based on polygonal graphs according to claim 1, characterized in that, Network control information is collected using a periodic acquisition method.

4. The SDN flow table overflow attack detection method based on polygonal graphs according to claim 1, characterized in that, Based on the statistical characteristics, the nodes of the resulting directed multi-edge heterogeneous graph include switch nodes and host nodes, the edges include network flows, the node characteristics include statistical characteristics of flow table information, switch information and packet-in messages, and the edge characteristics include statistical characteristics of flow rule information.

5. The SDN flow table overflow attack detection method based on polygonal graphs according to claim 1, characterized in that, The edges and nodes of the directed multi-sided heterogeneous graph are sampled and learned using the E-GraphSAGE model.

6. The SDN flow table overflow attack detection method based on polygonal graphs according to claim 1, characterized in that, The steps include sampling and learning the edges and nodes of the directed multi-sided heterogeneous graph, calculating the influence weight of network flow on node state through the edge attention mechanism, updating the features of nodes and edges, and training the detection model based on graph neural network.

7. A multi-sided graph-based SDN flow table overflow attack detection device, characterized in that, include: When the collected SDN network status values ​​exceed a set threshold, the module begins to collect network control information and extract statistical features. Based on the statistical characteristics, a module for a directed polygonal heterogeneous graph is obtained; The module that inputs the directed polygonal heterogeneous graph into a detection model based on a graph neural network and samples and learns the edges and nodes of the directed polygonal heterogeneous graph; Based on the directed multilateral heterogeneous graph generated by the graph neural network-based detection model, the SDN network is divided into modules for normal flow and abnormal flow. The module that tracks the propagation path of the attack in the SDN network and locates the source of the attack based on the abnormal flow.

8. A computer storage medium for storing computing programs, characterized in that, When the computer reads the computer program, the computer executes the method of claim 1.

9. A computer, comprising a processor and a storage medium, characterized in that, When the processor reads the computer program stored in the storage medium, the computer executes the method of claim 1.

10. A computer program product, as a computer program, is characterized by: When the computer program is executed, it implements the method of claim 1.