Abstract: In order to detect distributed denial of service (DDoS) attacks in software defined network (SDN), a DDoS detection algorithm based on self-organizing mapping decision tree (DT) is proposed, which firstly uses the data distribution fitting network trained by the two-dimensional self-organizing mapping algorithm, combines the historical data to generate the data rarity network, combines the judgment result of the decision tree algorithm to generate the data harmfulness network, and uses data rarity network and data harmfulness network to modify the decision tree algorithm to produce final detection results. In addition, a DDoS detection system is built on the SDN experimental network based on the proposed algorithm, which realizes the automatic periodic detection of SDN network traffic. Finally, the accuracy of detection algorithm and the system operation effect are tested in the built experimental network, and the results show that the detection performance of the proposed algorithm for DDoS attack is better than the algorithm compared, and the system operation effect is able to meet the expectation.