In SDN anomaly detection systems, when a training mechanism adopts semi-supervised learning (consisting of self-training and self-learning) to attain the classifiers of online training, it may cause the accumulation of identification errors – to degrade the performance. This paper presents a new training and learning mechanism which involves the operations of self-training and active learning to solve the problem. The proposed mechanism first adds samples with “high confidence weights” and classified as “malicious” to the training set by random selection. It then practices active learning to label those samples with “low confidence weights” and add them to the training set for training, to further lift up identification accuracy. A faster clustering method has been brought in to reduce the operation time of active learning. In classifier retraining, parallel training is applied to keep the classifier in constant service without interruption. Simulation results show that, in contrast to existing active learning IDS (ALIDS), our new mechanism performs better in identifying unknown attacks, without occupying the operation time of detection as it processes both training and detection in parallel.