Integrated Cyberattack Detection for Satellites

Next-generation satellites are evolving into highly interconnected cyber-physical platforms, where heterogeneous subsystems, widespread adoption of Commercial Off-The-Shelf (COTS) components, and emerging multi-tenant payload paradigms fundamentally reshape the spacecraft threat landscape. These trends erode traditional trust assumptions and necessitate autonomous onboard cybersecurity mechanisms capable of detecting, localising, and mitigating attacks without reliance on continuous ground intervention.

This paper presents a novel integrated Monitoring and Control (M&C) subsystem that introduces cybersecurity anomaly detection and recovery services to sustainably secure the rapidly evolving landscape of satellite architectures. The subsystem comprises deep learning-driven system bus monitoring and static rule enforcement, onboard computer (OBC) log monitoring, and recovery strategies for other subsystems. The deep learning-based monitoring module continuously observes system bus communications without perturbing nominal operations, enabling real-time situational awareness at the system level. The underlying model is extremely small and fast, as it is based on recurrent autoencoders with four layers and 8,465 trainable parameters, yet it precisely detects subtle structural and temporal deviations indicative of cyberattacks. Lightweight rule-based detectors and machine learning-based log analysis complement the learning-based bus monitoring, providing fast baseline detection and robustness against model blind spots. When an anomaly is detected, the framework performs automated root cause analysis to identify responsible communication, enabling fine-grained isolation and recovery of compromised subsystems. Two recovery approaches are presented, based on subsystem software redundancy, and a lightweight method leveraging the SpaceWire Remote Memory Access Protocol.

Extensive experimental evaluation demonstrates strong detection performance and operational feasibility. The system bus anomaly detector achieves a 97.18% true negative rate with low false positive rates on benign traffic, and F1 scores of 89.88% for denial-of-service attacks, 92.70% for full-payload interference, and 82.95% for partial frame corruption. Our breadboard prototype yields an inference latency of 24 ms per analysis window, validating real-time onboard applicability under realistic resource constraints.