Method and apparatus for malicious attack detection in a software defined network (SDN)

What is claimed is: 1. A malicious attack detection method performed by a controller of a software-defined network (SDN), comprising: receiving a packet-in message from a switch in the SDN, wherein the packet-in message indicates that the switch lacks a matching flow entry for a data packet received by the switch; determining that a destination host of the data packet does not exist in the SDN; sending an abnormal flow entry comprising a source host identifier of the data packet to the switch; receiving a triggering count indicating a quantity of times that the abnormal flow entry is triggered from the switch; and determining whether a malicious attack is initiated from a source host indicated by the source host identifier based on the triggering count. 2. The method according to claim 1 , wherein determining whether the malicious attack is initiated comprises determining whether the triggering count is greater than a count threshold, wherein the malicious attack is initiated from the source host in response to the triggering count being greater than the count threshold. 3. The method according to claim 1 , further comprising: determining that a last flow table in the switch is a precise matching table comprising a source host identifier matching domain; and sending a first instruction to the switch to instruct the switch to configure the precise matching table for matching only the source host identifier matching domain. 4. The method according to claim 1 , further comprising: determining that a last flow table in the switch is a precise matching table and that a wildcarded table comprising a source host identifier matching domain exists in the switch; and sending a second instruction to the switch to instruct the switch to adjust the wildcarded table to be the last flow table. 5. The method according to claim 1 , wherein a priority of the abnormal flow entry corresponds to a lowest priority among a plurality of flow entries stored at the switch. 6. The method according to claim 1 , further comprising: determining that the malicious attack is initiated from the source host indicated by the source host identifier based on the triggering count; and sending a third instruction to the switch to instruct the switch to suppress the data packet from the source host. 7. The method according to claim 1 , wherein receiving the triggering count comprises receiving a Flow-removed message from the switch, wherein the triggering count is carried in the Flow-removed message. 8. A malicious attack detection apparatus, comprising: a memory configured to store instructions; and a processor coupled to the memory and configured to execute the instructions to cause the processor to be configured to: receive a packet-in message from a switch in the SDN, wherein the packet-in message indicates that the switch lacks a matching flow entry for a data packet received by the switch; determine that a destination host of the data packet does not exist in the SDN; send an abnormal flow entry comprising a source host identifier of the data packet to the switch; receive a triggering count indicating a quantity of times that the abnormal flow entry is triggered from the switch; and determine whether a malicious attack is initiated from a source host indicated by the source host identifier based on the triggering count. 9. The apparatus according to claim 8 , wherein the instructions, when executed, further cause the processor to be configured to determine whether the triggering count is greater than a count threshold, wherein the malicious attack is initiated from the source host in response to the triggering count being greater than the count threshold. 10. The apparatus according to claim 8 , wherein the instructions, when executed, further cause the processor to be configured to: determine that a last flow table in the switch is a precise matching table comprising a source host identifier matching domain; and send a first instruction to the switch to instruct the switch to configure the precise matching table for matching only the source host identifier matching domain. 11. The apparatus according to claim 8 , wherein the instructions, when executed, further cause the processor to be configured to: determine that a last flow table in the switch is a precise matching table and that a wildcarded table comprising a source host identifier matching domain exists in the switch; and send a second instruction to the switch to instruct the switch to adjust the wildcarded table to be the last flow table. 12. The apparatus according to claim 8 , wherein a priority of the abnormal flow entry corresponds to a lowest priority among a plurality of flow entries stored at the switch. 13. The apparatus according to claim 8 , wherein the instructions, when executed, further cause the processor to be configured to: determine that a malicious attack is initiated from the source host indicated by the source host identifier based on the triggering count; and send a third instruction to the switch to instruct the switch to suppress the data packet from the source host. 14. A malicious attack detection system applied in a software-defined network (SDN), comprising; a switch; and a controller coupled to the switch and comprising: a receiver configured to receive a packet-in message from the switch of the SDN, wherein the packet-in message indicates that the switch lacks a matching flow entry for a data packet received by the switch; a processor coupled to the receiver and configured to determine a destination host of the data packet does not exist in the SDN; and a transmitter coupled to the processor and configured to send an abnormal flow entry comprising a source host identifier of the data packet to the switch, wherein the receiver is further configured to receive a triggering count indicating a quantity of times that the abnormal flow entry is triggered from the switch, and wherein the processor is further configured to determine whether a malicious attack is initiated from a source host indicated by the source host identifier based on the triggering count. 15. The system according to claim 14 , wherein the processor of the controller is further configured to determine whether the triggering count is greater than a count threshold, wherein the malicious attack is initiated from the source host in response to the triggering count being greater than the count threshold. 16. The system according to claim 14 , wherein the processor of the controller is further configured to determine that a last flow table in the switch is a precise matching table comprising a source host identifier matching domain, and wherein a transmitter of the controller is configured to send a first instruction to the switch to instruct the switch to configure the precise matching table for matching only the source host identifier matching domain. 17. The system according to claim 14 , wherein the processor of the controller is further configured to determine that a last flow table in the switch is a precise matching table and that a wildcarded table comprising a source host identifier matching domain exists in the switch, and wherein a transmitter of the controller is configured to send a second instruction to the switch to instruct the switch to adjust the wildcarded table to be the last flow table. 18. The system according to claim 14 , wherein a priority of the abnormal flow entry corresponds to a lowest priority among a plurality of flow entries stored at the switch. 19.