Denial of Service (DoS) attack is a serious threat to Software Defined Network (SDN). Although many research efforts have been devoted to identify new features for DoS attack detection, the existing approaches are not able to detect various types of DoS attacks. In SDN, DoS attacks against data plane are mainly organized in two ways: 1) DoS attack with multiple flow entries (M-DoS) to exhaust the Ternary Content-Addressable Memory (TCAM) resource of the switch. 2) DoS attack with a single well-designed entry (S-DoS) to overwhelm the target link and further impact the controller. To detect these two attacks, we propose a new approach by extracting six features of flow table, and using the back propagation (BP) neural network to construct the classifier. Test results of test-bed experiments indicate that the accurate detection probability of proposed approach is 98.9%, which can effectively distinguish M-DoS flows and S-DoS flows without being affected by Flash crowd scene. INDEX TERMS SDN security, DoS, Feature detection, Flow table, Flash crowd I.INTRODUCTION Software Defined Network (SDN), as a new type of network management architecture, provides network with flexible control, simple network architecture, and great programmability by decoupling the control plane and the data plane of the traditional network. The control plane enables upper-level managers to implement the required functions by simply deploying the network. In terms of development, SDN provides developers with rich programming interfaces, enabling them to change the network deployment according to actual needs. The logically centralized controller not only provides powerful technical support for complex network services, but also can obtain network status information from a global perspective, which is convenient for monitoring the network in real-time. Moreover, the separation of the control plane and the data plane simplifies the process of packet forwarding, reduces the load on the switch, and makes network configuration more convenient. SDN has been widely used in network virtualization, wireless LANs, cloud computing and other fields due to its advantages[1]-[4]. However, as SDN is still in the development stage, many technical details are not mature enough, it can easily become a key target of network attacks. SDN has serious security vulnerabilities, thus faces great security threats[5]-[7]. Denial of Service (DoS) attacks is one of the major threats to SDN. Previous researches have noted that there exist many types of DoS attacks in SDN[8]-[10]. The victim may be control plane, data plane or application[9][11]. DoS attacks against data plane, control plane or SDN application commonly have different principles and features, corresponding to specialized detection methods. Therefore, DoS attacks should be studied according to different planes, and existing studies are commonly conducted in this way. Currently, DoS attacks on data plane have attracted wide attention, as the vulnerabilities of this plane are exposed. These attacks can be class...