Low-Earth Orbit (LEO) mega-constellations such as Starlink by SpaceX and Kuiper by Amazon rely on optical Inter-Satellite Links (ISLs) for autonomous mesh routing to provide low-latency telecommunication, Internet of Things (IoT), and security services globally. As commercial operators and governments deploy increasingly dense constellations and form multi-operator peering coalitions, ISL integrity becomes critical to both commercial availability and national security. However, there is a lack of real-world data for LEO constellations and existing real-time security approaches focus strictly on physical layer security, leaving blind spots in the coverage of network-layer and composite attacks. In this paper, we present a cross-layer, lightweight behavioral fingerprinting framework that fuses onboard physical-layer measurements with network-layer data to detect anomalies at low computational overhead. We construct an orbital simulation covering the first shells of Starlink (1,584 satellites), Kuiper (1,156 satellites), and a joint multi-operator peering scenario (2,740 satellites), injecting ten attack types that span spoofing, traffic manipulation, and routing subversion at varying severity. We evaluate three unsupervised, per-satellite detectors among which our Mahalanobis-distance-based detector achieves 99.5% recall on Starlink, 99.4% on Kuiper, and 94.8\% on the multi-operator constellation, while maintaining False Positive Rates (FPR) below 0.7%. Our results demonstrate that cross-layer feature fusion is not only necessary for comprehensive security of LEO constellations but highly cost-effective for large-scale networks while fitting into the strict onboard energy budgets of resource-constrained satellites.

翻译：低地球轨道（LEO）巨型星座（如SpaceX的Starlink和Amazon的Kuiper）依赖光学星间链路（ISL）实现自主网状路由，为全球提供低延迟电信、物联网（IoT）和安全服务。随着商业运营商和政府部署日益密集的星座并形成多运营商互联联盟，ISL完整性对商业可用性和国家安全均至关重要。然而，现有LEO星座缺乏真实数据，且现有实时安全方法严格聚焦于物理层安全，在网络层和复合攻击覆盖方面存在盲区。本文提出一种跨层轻量级行为指纹识别框架，将星载物理层测量数据与网络层数据融合，以低计算开销检测异常行为。我们构建了覆盖Starlink第一壳层（1,584颗卫星）、Kuiper第一壳层（1,156颗卫星）以及联合多运营商互联场景（2,740颗卫星）的轨道仿真，注入十种涵盖不同严重程度的欺骗、流量操纵和路由颠覆攻击。在三种无监督单星检测器中，基于马氏距离的检测器在Starlink上达到99.5%的召回率，在Kuiper上达到99.4%，在多运营商星座上达到94.8%，同时将假阳性率（FPR）维持在0.7%以下。研究结果表明，跨层特征融合不仅是实现LEO星座全面安全的必要条件，对大规模网络而言也极具成本效益，同时能够适配资源受限卫星严格的星载能量预算。