Satellite–IoT networks increasingly support mission-critical services such as remote sensing, disaster response, and safety monitoring. However, their segmented and delay-tolerant communication environment —distributed across ground, space, and user segments with heterogeneous operating systems and protocol stacks, and characterized by inter-segment links, intermittent connectivity, and constrained bandwidth—expands the attack surface and makes it difficult to maintain consistent end-to-end security guarantees and coordinated mitigation under operational constraints. Accordingly, prior work has investigated threat modeling, anomaly detection, and mitigation to address these challenges, but the components are often developed and evaluated in isolation rather than as a unified decision pipeline. This lack of integration weakens the systematic linkage from threat scenarios and detection evidence to mitigation-policy selection, which can result in responses that are either insufficient for the actual threat context or unnecessarily disruptive. This dissertation presents an end-to-end security framework that integrates hierarchical threat scenario representation, semantic packet-level anomaly detection, and risk- and utility-aware mitigation into a closed-loop decision pipeline for Satellite–IoT networks. The framework constructs a hierarchical threat representation to organize attack scenarios and cross-segment propagation paths, yielding structured knowledge that can be directly used in downstream decision logic. It then introduces a domain-faithful semantic packet representation based on a fixed multi-field schema that encodes temporal, structural, and contextual attributes of satellite-linked communications. Using this representation, a lightweight Transformer-based detector performs multi-class attack discrimination by exploiting cross-field semantics and remains robust under partially observed packets with missing fields. Detection outputs are further mapped to mission-phase-aware situational risk to reflect phase-conditioned threat priorities. Finally, mitigation is formulated as a selectable decision. A deterministic transition-checking layer measures policy effectiveness via illegal-transition reduction across mitigation strengths, and a scenario-weighted utility formulation selects policy strength by balancing security benefit against operational cost. Experimental results show that the proposed pipeline consistently connects hierarchical threat scenario representation with semantic packet-level evidence and scenario-aligned mitigation selection, enabling interpretable and reproducible decision-making for Satellite–IoT security. The integrated framework supports transparent comparison of mitigation strengths and avoids uniformly maximal responses when they are not justified under the modeled threat context and operational constraints. Future work will expand the threat-scenario knowledge base by incorporating evidence from real-world incidents and mission-profile variations. It will also prioritize validation using real telemetry/protocol traces and realistic testbeds, including hardware-in-the-loop environments. In parallel, it will refine mission- and platform-specific calibration of risk, cost, and utility parameters.

• CHAPTER 1 INTRODUCTION 17
• 1.1 Background and Motivation 19
• 1.2 Research Challenges 21
• 1.3 Limitations of Existing Work 23
• 1.4 Research Objectives and Scope 25
• 1.5 Contributions of This Dissertation 27
• 1.6 Dissertation Organization 29
• CHAPTER 2 TECHNICAL BACKGROUND AND RELATED WORK 30
• 2.1 Satellite–IoT Network Architecture 30
• 2.1.1 Ground Segment 31
• 2.1.2 Space Segment 32
• 2.1.3 User Segment 33
• 2.1.4 End-to-End Routing Characteristics 34
• 2.2 Communication Protocols in Satellite–IoT Systems 36
• 2.2.1 IP-Based Ground Network (TCP/IP) 36
• 2.2.2 CCSDS Space Link Protocol 38
• 2.2.3 CSP and CSP-over-CAN 39
• 2.2.4 MIOTY-Based LPWAN for IoT Uplinks 40
• 2.2.5 NMEA Messages for GNSS Services 40
• 2.3 Security Threats and Real-World Incidents 42
• 2.3.1 Representative Satellite–IoT Threats 42
• 2.3.2 Real-World Incidents 44
• 2.4 Related Work on Satellite–IoT Network Security 46
• 2.4.1 Threat and Security Analysis in Satellite Networks 47
• 2.4.1.1 Threats in Satellite Networks 47
• 2.4.1.2 Security Analysis for Satellite Networks 48
• 2.4.1.3 Security Enhancement Strategies for Satellite Networks · 49
• 2.4.2 Intrusion and Anomaly Detection in Satellite–IoT Systems 50
• 2.4.2.1 Conventional IDS Approaches for Satellite–IoT Systems ·· 50
• 2.4.2.2 LLM-Based Anomaly Detection 51
• 2.4.2.3 Limitations of Existing IDS Approaches 52
• 2.5 Summary 53
• CHAPTER 3 HIERARCHICAL THREAT MODELING FOR SATELLITE–IOT NETWORKS 55
• 3.1 Overview of This Chapter 55
• 3.2 Proposed Approach 56
• 3.2.1 Security Framework for Threat Modeling and Assessment ·· 57
• 3.2.2 Satellite Network Architecture 58
• 3.2.2.1 Ground Segment 60
• 3.2.2.2 Space Segment 61
• 3.2.2.3 User Segment 62
• 3.2.3 Vulnerability and Threat Analysis 62
• 3.2.3.1 Operating Systems and Vulnerabilities 62
• 3.2.3.2 Protocol Vulnerabilities 64
• 3.2.3.3 Threat Analysis 65
• 3.2.4 Threat Modeling Using TV-HARM 70
• 3.2.4.1 Overview of TV-HARM 70
• 3.2.4.2 Application of TV-HARM in Satellite Networks 72
• 3.3 Security Metrics for Satellite Networks 80
• 3.3.1 Network Centrality Measure 80
• 3.3.2 Vulnerability Score 81
• 3.3.3 Attack Impact Metrics 85
• 3.4 Experimental Results and Discussion 86
• 3.4.1 Network Centrality Metrics 86
• 3.4.2 Vulnerability Score Metric 90
• 3.4.3 Attack Impact Metrics 94
• 3.4.4 Discussion and Future Work 96
• CHAPTER 4 SEMANTIC-AWARE ANOMALY DETECTION 100
• 4.1 Overview of This Chapter 100
• 4.2 Proposed Approach 101
• 4.2.1 Packet Structure and Input Sentence Construction 103
• 4.2.1.1 Semantic Packet Parsing 104
• 4.2.1.2 Semantic Inference and Anomaly Classification 106
• 4.2.1.3 Attack Type Classification and Logging 108
• 4.2.2 DistilBERT-Based Semantic Anomaly Classification 109
• 4.3 Experimental Results and Discussion 111
• 4.3.1 Experimental Environment and Dataset Construction 111
• 4.3.2 Computational Efficiency and Edge Feasibility 113
• 4.3.3 Performance Comparison with Baseline Models 114
• 4.3.4 Evaluation on Scenario-Based Anomalies 116
• 4.3.5 Analysis of Attention-Based Feature Importance 118
• CHAPTER 5 RISK-AWARE ADAPTIVE MITIGATION FRAMEWORK 120
• 5.1 Overview of This Chapter 120
• 5.2 Proposed Approach 122
• 5.2.1 Scenario-Driven Dataset and Threat Model 123
• 5.2.1.1 Attack-Specific Packet Generation Patterns 124
• 5.2.2 Detection Evidence for Risk Scoring and Mitigation 125
• 5.2.3 Situational Risk Score Formulation 127
• 5.2.4 Transition Checker for Violation Modeling 128
• 5.2.5 Mitigation Policy Architecture 132
• 5.2.5.1 Primitive Mitigation Actions 134
• 5.2.5.2 Policy Stratification 136
• 5.2.6 Adaptive Mitigation Trigger and Optimal Policy Selection 138
• 5.3 Experimental Results and Discussion 140
• 5.3.1 Semantic Classification Performance Evaluation 141
• 5.3.2 Situational Risk Variation Across Mission Phases 143
• 5.3.3 Mitigation Policy Effectiveness and Illegal-Transition Reduction 145
• 5.3.4 Scenario-Based Utility-Aware Policy Selection 147
• 5.3.5 Discussion 150
• CHAPTER 6 CONCLUSION 152
• 6.1 Conclusion 152
• 6.2 Contributions 153
• 6.3 Limitations and Future Work 154
• REFERENCES 156
• ABSTRACT IN KOREAN 167