AbstractSoftware‐defined networks (SDNs) have gained popularity in recent years as a solution for the fundamental issues that affect traditional dispersed networks. The primary advantage of SDNs is the decoupling of the control plane from the data plane, which increases the flexibility of the network. The SDN represents a network architecture of the next generation, however, its configuration options are centralized, leaving it open for cyber‐attacks. This paper concentrates on the early identification of attacks in an SDN environment. When malicious traffic is affecting in an SDN topology, an artificial intelligence (AI) module in the topology is used to detect the attack and stop the attack source using machine learning (ML) techniques. The architecture presented in this research allows for the comparison of several ML classification techniques that are used to identify different sorts of network attacks. For attack detection, eight ML techniques are used, namely logistic regression (LR), linear discriminant analysis (LDA), Naïve Bayes (NB), k‐nearest neighbor (KNN), classification and regression tree (CART), AdaBoost (AB), random forest (RF), and support‐vector machine (SVM) classifiers. These techniques are tested on the InSDN dataset, which is a novel attack‐specific SDN dataset. The results show that the highest accuracy of 98.6% is achieved with the LDA classifier. Further improvement in the accuracy of classification models is observed when random over‐sampling, synthetic minority oversampling technique (SMOTE), random under‐sampling, and under‐sampling with Tomek links and near‐miss concept are applied to address the class imbalance problem. After applying these methods, the LDA classifier showed an accuracy of 98.79%.