Software-defined networks (SDN) are susceptible to most of the attacks found in traditional networks. Therefore, Intrusion Detection System (IDS) integrated into the SDN structure to provide Intrusion countermeasures is important. In the study of existing SDN anomaly detection system, their classifiers all adopt the method of supervised learning to train the classifiers. In the practical application of IDS, there is no tag for the received data, and IDS must try to identify unknown attacks through the old attack mode. However, the method of supervised learning only uses labeled samples for training, and cannot use online data for retraining in application. Therefore, the training mechanism of supervised learning cannot be applied to the practical anomaly detection system, because it cannot apply online data to make the system adapt to new types of attacks. According to the problem of online training, the training method of semi-supervised learning is a solution to achieve the classifier of online training anomaly detection system. The existing semi-supervised Learning methods include self-learning and self-training. In this paper, we propose the mechanism of using self-training mixed Active Learning. For the samples with high confidence weights were classified as malicious samples, we add them to the training set by random selection. The reason for using the training mechanism of active learning is that after active learning, samples with low confidence weights can be labeled and added to the training set for training, so that the classifier has a higher accuracy rate, and there will not be a large increase in false positive rate(FPR). In order to speed up the training mechanism, we use a faster clustering method to reduce the operation time of the active learning part. On the retraining classifier, we adopt the parallel training classifier, keep the classifier in service, and replace the classifier in an uninterrupted way. And when an attack is detected, it can be immediately defended. We proved in the simulation stage that this training method can effectively improve the identification ability of unknown attacks. In terms of time, this training method will not occupy the operation time of the detection system, because the training part and the detection system are processed in parallel, and the classifier will not stop when the classifier is replaced. In the implementation stage, we proved that this method can effectively prevent unknown attacks in practical operation. Even if it is not identified at the beginning, it will be updated according to the training method to learn how to identify unknown attacks and successfully prevent them, so as to achieve real-time detection attacks.