The invention discloses a network security anomaly detection algorithm based on a clustering graph neural network. The algorithm comprises the following steps: describing a network topology structureby using a graph model, optimizing node characteristics by using a graph neural network convolution layer, segmenting a graph into a plurality of disjoint sub-graphs by using a graph clustering algorithm, regarding each sub-graph as a node, regarding an adjacency relationship of the sub-graphs as an edge, forming a sub-graph, learning a weight for each node by utilizing a graph attention layer, performing weighted summation on features of all nodes in each sub-graph to form features of the nodes in the sub-graph, and finally judging whether a network is attacked or not by utilizing a full connection layer and a classifier layer. According to the method, a hierarchical graph neural network is constructed, node features in a graph are optimized through a graph convolution layer, local features on the graph are captured through a pooling layer based on a graph clustering algorithm, high-level semantic features are generated, situation features of the whole network are generated through afusion layer, and network situations are classified through a classifier.