The fact that the security facilities within a system are closely coupled and the security facilities between systems are unconnected results in an isolated protection structure for systems,and gives rise to a serious challenge to system security integrations and system controls.Also,the need for diversified services and flexible extensions of network security asks for more considerations and contribu-tions from the perspective of software engineering in the process of designing and constructing security systems.Based on the essence of the virtualization technique and the idea of software-defined networks,we in this paper propose a novel software-defined security architecture for systems.By abstracting the traditional security facilities and techniques,the proposed security architecture provides a new,simple,effective,and programmable framework in which security operations and security controls can be decoupled,and thereby reduces the software module sizes,decreases the intensity of software deve-lopments,and improves the security extensibility of systems.