In order to detect advanced persistent threat in software defined network, an efficient mechanism utilized in SDN is proposed to detect covert communication in this study, based on analyzing the architecture of SDN and covert communication in advanced persistent threat. When detecting covert communication, this mechanism firstly captures the transmitted traffic from the underlying network. Subsequently, it extracts SSL certificates from the captured packets and calculates several eigenvalues of the extracted SSL certificates. At last, using isolation forest algorithm, it detects whether these SSL certificates are abnormal taking advantages of the extracted eigenvalues. Based on the detection result of SSL certificates, this mechanism can judge whether there is covert communication in this network. Experimental results verify that the proposed mechanism can improve the detection accuracy and reduce false positive of covert communication. At the same time, this mechanism has high scalability, which makes it easily implemented in other scenarios.