Abstract: In order to improve the performance of suspicious traffic detection algorithm in software defined network, this paper proposes a method for detecting suspicious traffic of k nearest neighbor based on undirected graph process. OpenFlow module is used to create data stream, and the intrusion rules are constructed. Then, based on the map nodes/edges represent with the Markov chain, the undirected graph was used to represent the attack characteristics, it realized the incremental implementation of new attacks, which could reduce the computational complexity of constructing undirected graph, and the k nearest neighbor algorithm was used to classify the malicious attack traffic characteristics of undirected graph to achieve effective detection of attacks. Finally, the performance of the proposed algorithm is verified by the SDN test platform.