To　address　security　challenges　in　software　defined　networking　(SDN)　architecture,　centered　on　the　security　audit　aspect　of　the　SDN　architecture,　the　traditional　network　security　audit　solutions　and　the　SDN　architecture＇s　centralized　control　features　were　combined.　A　security　audit　system　was　designed　and　implemented　based　on　the　Floodlight　controller　and　was　operated　in　the　SDN　environment,　in　which　the　collection,　analysis,　storage　of　audit　events　and　other　functions　were　included.　A　backtracking　algorithm　against　DDoS　scenario　was　designed　to　detect　the　attackers　and　dummy　hosts　via　reviewing　and　analyzing　security　audit　events　retrospectively.　Besides,　a　sliding　window　segmentation　algorithm　was　proposed　which　extracted　user＇s　behavior　patterns　after　implementing　sequence　analysis　against　security　audit　events.　Based　on　the　Levenshtein　algorithm　to　the　similarity　of　sequence　patterns　were　calculated,　then　according　to　the　similarity　of　the　current　user＇s　behaviors　and　historical　behaviors,　suspected　attack　behaviors　were　detected.　©　2017,　Editorial　Department　of　Journal　of　Beijing　University　of　Technology.　All　right　reserved.