We propose a concept of using Software Defined Network (SDN) technology and machine learning algorithms for monitoring and detection of malicious activities in the SDN data plane. The statistics and features of network traffic are generated by the native mechanisms of SDN technology. In order to conduct tests and a verification of the concept, it was necessary to obtain a set of network workload test data. We present virtual environment which enables generation of the SDN network traffic. The article examines the efficiency of selected  machine learning methods: Self Organizing Maps and Learning Vector Quantization and their enhanced versions. The results are compared with other SDN-based IDS.

D. Kreutz, F. M Ramos, P. Esteves Verissimo, C. Esteve Rothenberg, S. Azodolmolky, and S. Uhlig, "Software-defined networking: A comprehensive survey," in Proceedings of the IEEE 103.1, 2015, pp. 14-76. doi:10.1109/JPROC.2014.2371999

Scott-Hayward, Sandra, Sriram Natarajan, and Sakir Sezer. "A survey of security in software defined networks," 2015. doi:0.1109/COMST.2015.2474118.

C. Modi, D. Patel, B. Borisaniya, H. Patel, A. Patel and M. Rajarajan,. “A survey of intrusion detection techniques in cloud,” Journal of Network and Computer Applications, vol 36(1), 2013, pp. 42-57. doi:0.1016/j.jnca.2012.05.003

H. J. Liao, C. H. R. Lin, Y. C.Lin, and K. Y. Tung, “Intrusion detection system: A comprehensive review,” Journal of Network and Computer Applications, vol. 36(1), 2013, pp. 16-24. doi:10.1016/j.jnca.2012.09.004

N. F. Haq, A. R. Onik, M. Avishek, K. Hridoy, M. Rafni, F. M. Shah, and D. M. Farid, “Application of Machine Learning Approaches in Intrusion Detection System: A Survey,” International Journal of Advanced Research in Artificial Intelligence, 2015. doi:10.14569/IJARAI.2015.040302

M. Kruczkowski, E. Niewiadomska-Szynkiewicz, and A. Kozakiewicz. "FP-tree and SVM for Malicious Web Campaign Detection," in Intelligent Information and Database Systems, Springer International Publishing, 2015, pp. 193-201. doi: 10.1007/978-3-319-15705-4_19

Mehdi, Syed Akbar, Junaid Khalid, and Syed Ali Khayam. "Revisiting traffic anomaly detection using software defined networking," in Recent Advances in Intrusion Detection, Springer Berlin Heidelberg, 2011, pp. 161-180. doi:10.1007/978-3-642-23644-0_9

S. Dotcenko, A. Vladyko, and I. Letenko, “A fuzzy logic-based information security management for software-defined networks,” In Advanced Communication Technology ,16th International Conference on IEEE, 2014, pp. 167-171. doi:10.1109/ICACT.2014.6778942

K. Giotis, C. Argyropoulos, G. Androulidakis, D. Kalogeras, and V. Maglaris, “Combining OpenFlow and sFlow for an effective and scalable anomaly detection and mitigation mechanism on SDN environments,” in Computer Networks, vol 62, 2014, pp. 122-136. doi:10.1016/j.bjp.2013.10.014

R. Braga, Edjard Mota, E. Mota, Edjard, A. Passito, “Lightweight DDoS Flooding Attack Detection Using NOX/OpenFlow,” in Local Computer Networks (LCN), 35th Conference on. IEEE, 2010. pp. 408-415. doi: 10.1109/LCN.2010.5735752

R. Sathya and R. Thangarajan, “Efficient Anomaly Detection And Mitigation In Software Defined Networking Environment,” Electronics and Communication Systems, 2nd International Conference on. IEEE. 2015, pp. 479-484. doi:10.1109/ECS.2015.7124952

A. Le, P. Dinh, H. Le, and N. C. Tran, “Flexible Network-Based Intrusion Detection and Prevention System on Software-Defined Networks,” presented at International Conference on Advanced Computing and Applications, November 2015, pp. 106-111. doi:10.1109/ACOMP.2015.19

OpenDaylight Platform [Online]. Available: https://www.opendaylight.org/

T. Kohonen, “Essentials of the self-organizing map,” Neural Networks, vol. 37, 2013, pp. 52-65. doi:10.1016/j.neunet.2012.09.01

T. Kohonen, “The self-organizing map,” Proceedings of the IEEE, vol. 78(9), 1990, pp. 1464-1480.

WEKA Classification Algorithms, A WEKA Plug-in, [Online]. Available: http://wekaclassalgos.sourceforge.net/

T. Kohonen,, “Learning vector quantization,” Springer Berlin Heidelberg, 1995, pp. 175-189.

Mininet, An Instant Virtual Network on your Laptop (or other PC), [Online]. Available: http://minimet.org

M. Hall, E. rank, G. Holmes, B. Pfahringer, P. Reutemann and I. H. Witten, “The WEKA data mining software: an update,” ACM SIGKDD explorations newsletter, vol. 11(1), 2009, pp. 10-18. doi:10.1145/1656274.1656278

G. Pölzlbauer, “Survey and comparison of quality measures for self-organizing maps,“, 2004.

A. Sperotto, G. Schaffrath, R. Sadre, C. Morariu, A. Pras, , and B. Stiller, “An overview of IP flow-based intrusion detection,” Communications Surveys & Tutorials, IEEE, 12(3), 2010, pp. 343-356. doi: 10.1109/SURV.2010.032210.00054