Software-Defined Networking (SDN) is increasingly adopted to secure Internet-of-Things (IoT) networks due to its centralized control and programmable forwarding. However, SDN-IoT defense is inherently a closed-loop control problem in which mitigation actions impact controller workload, queue dynamics, rule-installation delay, and future traffic observations. Aggressive mitigation may destabilize the control plane, degrade Quality of Service (QoS), and amplify systemic risk. Existing learning-based approaches prioritize detection accuracy while neglecting controller coupling and short-horizon Reinforcement Learning (RL) optimization without structured, auditable policy evolution. This paper introduces a self-reflective two-timescale SDN-IoT defense solution separating fast mitigation from slow policy governance. At the fast timescale, per-switch Proximal Policy Optimization (PPO) agents perform controller-aware mitigation under safety constraints and action masking. At the slow timescale, a multi-agent Large Language Model (LLM) governance engine generates machine-parsable updates to the global policy constitution Pi, which encodes admissible actions, safety thresholds, and reward priorities. Updates (Delta Pi) are validated through stress testing and deployed only with non-regression and safety guarantees, ensuring an auditable evolution without retraining RL agents. Evaluation under heterogeneous IoT traffic and adversarial stress shows improvements of 9.1% Macro-F1 over PPO and 15.4% over static baselines. Worst-case degradation drops by 36.8%, controller backlog peaks by 42.7%, and RTT p95 inflation remains below 5.8% under high-intensity attacks. Policy evolution converges within five cycles, reducing catastrophic overload from 11.6% to 2.3%.

翻译：软件定义网络（SDN）因其集中式控制与可编程转发能力，正日益被用于保障物联网（IoT）网络安全。然而，SDN-IoT防御本质上是一个闭环控制问题，其中缓解措施会影响控制器负载、队列动态、规则安装延迟以及未来的流量观测。激进的缓解策略可能导致控制平面失稳、降低服务质量（QoS）并放大系统性风险。现有基于学习的方法侧重于检测精度，却忽略了控制器耦合效应以及缺乏结构化、可审计策略演进的短视强化学习（RL）优化。本文提出一种自反式双时间尺度SDN-IoT防御方案，将快速缓解与慢速策略治理相分离。在快时间尺度上，各交换机端近端策略优化（PPO）智能体在安全约束与动作掩码下执行控制器感知型缓解；在慢时间尺度上，多智能体大语言模型（LLM）治理引擎生成机器可解析的全局策略规程π更新，该规程编码了可执行动作、安全阈值与奖励优先级。更新量Δπ通过压力测试验证，仅在满足非退化与安全保障条件下部署，从而在不重训练RL智能体的前提下实现可审计的策略进化。在异构物联网流量与对抗压力下的评估显示，相较于PPO和静态基线，宏F1值分别提升9.1%和15.4%，最差情况退化率下降36.8%，控制器积压峰值减少42.7%，高烈度攻击下RTT p95膨胀率低于5.8%。策略进化在五轮迭代内收敛，灾难性过载从11.6%降至2.3%。