DMSR: Dynamic Multipath Secure Routing Against Eavesdropping in Space-Ground Integrated Optical Networks

Abstract

With the continuous growth of global communication demands, the space-ground integrated optical network (SGION), composed of the satellite optical network (SON) and terrestrial optical network (TON), has gradually become a critical component of global communication systems due to its wide coverage, low latency, and large bandwidth. However, although the high directivity of laser communication can significantly enhance the security of data transmission, it still carries the risk of being eavesdropped on during the process of service routing. To resist eavesdropping attacks during service transmission in the SGION, this paper proposes a secure routing scheme named dynamic multipath secure routing (DMSR). In DMSR, a metric called the service eavesdropping ratio (SER) is defined to quantify the service leakage severity. The objective of DMSR is to reduce each service’s SER by switching its routing path proactively. To realize DMSR, heuristic algorithms are developed to sequentially search for optimal routing paths for service path switching in the TON and SGION. Finally, simulation results demonstrate that DMSR can achieve trade-offs between secure service transmission and network performance at different levels by adjusting its system parameters. Furthermore, the DMSR scheme significantly reduces the SER compared to the baseline schemes, while introducing acceptable increases in computation overhead and service latency.

1. Introduction

With the continuous growth of global information and communication demands, traditional terrestrial communication networks are gradually struggling to meet the communication requirements of long-distance, wide coverage, high data rate, and high reliability. Against this backdrop, low-earth orbit (LEO) satellite communication systems, leveraging their unique advantages, have become an important supplement to the new generation of global communication infrastructure. Compared with medium and high orbit satellites, LEO satellites boast advantages such as low communication latency, low launch costs, and flexible orbital deployment [1]. The satellite network, mainly based on LEO, is integrated with 3GPP standardization to address the coverage gap of ground 5G and subsequent 6G, ultimately building an integrated system of air, space, and earth to achieve ubiquitous connectivity across the entire domain [2]. They hold irreplaceable strategic value, especially in remote mountainous areas, oceanic regions, and emergency rescue scenarios. Internationally, SpaceX’s “Starlink” has deployed over 8000 satellites [3]. OneWeb has deployed more than 600 satellites in its first phase [4]. Amazon’s “Project Kuiper” will also accelerate its deployment in 2025 [5]. Also, European companies like Eutelsat are closely following suit. China’s satellite constellations are also catching up [6]. Allen Chang, an analyst at Goldman Sachs, predicts that 70,000 new satellites will be launched in the next five years, with 53,000 of them to be launched by China. This figure is 10 times the current number of satellites in orbit [7].

However, while LEO satellite networks are developing rapidly, they also face severe security challenges. Firstly, LEO satellite networks generally feature highly dynamic topological structures, fast node movement speeds, and short communication time slots, making traditional static network security models difficult to adapt to their operating environment. Secondly, the interconnection between LEO satellites is highly dependent on point-to-point laser links. While such links ensure high confidentiality, they also mean that once the network is attacked, its stability will be seriously threatened. In addition, satellite resources are limited, making it difficult to deploy security protocols with high computational requirements or energy consumption. Satellite networks are characterized by dynamics, irregularities, and the vulnerability of wireless communications. They lack centralized monitoring and protection mechanisms, thus being vulnerable to various attacks. The main security threats faced by satellite routing are as follows:

(1)

Blackhole Attack

A blackhole attack refers to a scenario where a malicious node in the network, during the route establishment phase, falsely claims to have the shortest path to the destination node, thereby luring surrounding nodes to forward data to it. However, instead of forwarding the data packets, it discards them, thus disrupting communication. This process is similar to a black hole, which only absorbs matter, hence the name “blackhole attack” [8].

(2)

DoS/DDoS

DoS refers to continuously sending a large number of requests to satellites or ground terminals in a short period of time, overwhelming the links and causing service interruptions. For example, Starlink has been subjected to DDoS attacks [9].

(3)

Communication Eavesdropping

Eavesdropping is an attack behavior that involves unauthorized access to information [10]. Attackers secretly intercept, monitor, or access communication data without being detected, aiming to steal sensitive information such as accounts, passwords, communication contents, and encryption keys. Since satellite communications rely on laser signals propagating in free space without physical medium protection, they are vulnerable to eavesdropping. Ground-based attackers can receive satellite signals using large-aperture antennas and demodulation systems. In broadcasting and data forwarding services, end-to-end encryption is often not implemented to save costs or reduce latency, which allows attackers to exploit vulnerabilities. Although there are no widespread reports of large-scale practical eavesdropping in actual combat, the following examples indicate that eavesdropping technology is already feasible.

For example, as mentioned in the literature, unauthorized and illegal access to patients’ private medical information occurs in hospitals [11]. The literature proposes two practical eavesdropping scenarios for optical communications in the satellite-to-HAPS (downlink) and HAPS-to-satellite (uplink) links, where an attacker’s spacecraft can eavesdrop on either the transmitted signals or the received signals [12]. Meng et al. assumed a satellite eavesdropper in the uplink satellite communication system, where the eavesdroppers are randomly distributed at any altitude according to the homogeneous binomial point process and attempt to intercept the signals transmitted from the ground terminals to the serving satellite [13]. Alexander Miller from the National University of Singapore pointed out in his paper that the payload transmission module of China’s quantum communication satellite “Micius” has a timing desynchronization issue. This problem allows eavesdroppers to distinguish between signal states and decoy states with a probability of 98.7% [14]. This study reveals that defects in actual equipment may undermine the security of quantum key distribution (QKD), which is theoretically secure. James Pavur, a researcher at the University of Oxford, demonstrated at the 2020 Black Hat Conference that using household TV equipment costing approximately $300, such as satellite dishes and DVB-S receivers, it is possible to intercept aeronautical internet data and reconstruct IP data packets [15]. In 2023, a cargo ship deviated from its route by 35 nautical miles in the Red Sea due to tampered navigation data. Attackers could alter the ship’s fuel supply instructions and cargo manifests by forging the frame check sequence (FCS) of satellite signals [16].

Due to the high latency of satellite networks, the impact of attacks is amplified, making them more difficult to detect and respond to in a timely manner [17]. Moreover, LEO satellites have limited resources, lacking sufficient capacity to deploy complex encryption or monitoring mechanisms [18]. Therefore, research on secure routing is extremely important. In this context, the issue of routing security has become a key link in the design of LEO optical networks [19]. In LEO satellite optical networks, the problem of secure routing is one of the core research directions for ensuring communication reliability and anti-attack capabilities. Secure routing refers to the selection of a trustworthy, reliable, non-eavesdropped, and non-tampered data transmission path in a dynamically networked environment with multiple satellites, so as to guarantee the security of the communication process and quality of service (QoS) [20].

At present, scholars both at home and abroad have conducted extensive research on secure routing in low-orbit satellite networks. He et al. [21] proposed a homogeneous quantum satellite network architecture (MRN) that supports key storage and relaying (SR). They defined the concept of storage relay topology (SRT) as a framework for dynamically describing the connection status and link weights of quantum satellite networks, which is used to guide the routing of global quantum key distribution (GQKD). Based on SRT, the SRT-RKA algorithm was developed, specifically for efficiently and dynamically allocating global keys for massive short message service (SMS) requests. Jiang et al. [22] conducted a review study on secure handoff, secure transmission control, key management, and secure routing. Matthias et al. [23] proposed a precoding algorithm to protect the downlink of multiple users from eavesdropping by multiple eavesdroppers. Zheng et al. [24] proposed an algorithm for users being eavesdropped on by multiple eavesdroppers simultaneously, which minimizes the total transmission power while maintaining secrecy constraints. Literature [25] takes communication security as a key goal, summarizes the involved security indicators in detail, focuses on eavesdropping security attacks, fully considers satellite beam patterns and path loss, conducts detailed modeling of satellite channels, and proposes a security design for satellite communication networks from the perspective of physical layer security. Literature [26] constructs a cognitive satellite-terrestrial network scenario where eavesdroppers illegally lurk, intending to eavesdrop during the primary and secondary user signal transmission between satellites and base stations.

Some advanced techniques, such as QKD, can detect eavesdropping attempts. However, current deployments do not yet provide continuous, wide-area coverage over dynamic space-ground paths. For the foreseeable future, many segments of space-ground integrated optical networks (SGIONs) will continue to rely on classical keys or operate in hybrid regimes. Against this background, we propose a secure routing technology whose principle is to avoid long-term use of the same route (which may lead to eavesdropping by potential attackers) by switching routes within a certain period of time.

The rest of this paper is organized as follows: Section 2 presents the system model. Section 3 illustrates the dynamic multipath secure routing (DMSR) scheme. Section 4 elaborates on the heuristic algorithms we developed. Section 5 presents the simulation results. Section 6 discusses the limitations of the proposed scheme. Finally, the paper is summarized in Section 7.

2. System Model

In this section, the system model of routing in the SGION is discussed, including the network architecture, network model, and service model.

2.1. Network Architecture

This study focuses on the integrated space-ground communication environment formed by the interconnection of satellite optical networks (SONs) and terrestrial optical networks (TONs), with a particular emphasis on addressing cross-layer secure routing challenges. As illustrated in Figure 1, the overall network topology comprises two primary components: the space layer and the ground layer. The ground network employs optical fibers for interconnection, whereas inter-satellite and satellite-to-ground links utilize laser communication technology. In the space layer, the network adopts a typical polar-orbit LEO constellation architecture, such as the Iridium constellation. Each satellite node is equipped with laser communication terminals, enabling multi-hop forwarding between satellites and forming a globally distributed high-speed spaceborne communication network [27]. Due to the continuous variation in orbital positions and time, satellite nodes exhibit high mobility, resulting in a highly dynamic network topology. The ground layer consists of multiple ground stations (GSs) and the core terrestrial IP network. Ground stations are geographically distributed and interconnected with the backbone networks. The terrestrial segment may integrate various heterogeneous networks, including mobile communication networks, the Internet of Things (IoT), and the Internet, providing user access and data aggregation functions [28]. For space-ground interconnection, the physical layer connectivity between LEO satellites and ground stations is established via laser communication links, enabling high-speed and low-latency data transmission [29].

2.2. Network Model

Considering the dynamics of the SGION, the network operation period is divided into multiple equal-length time slots, i.e., $T=\left\{t_1,t_2,\dots ,t_n\right\}$, where $t_i$ denotes $\mathrm{i}$-th time slot. The network topology is considered to be fixed within each time slot and only varies across different time slots. Note that the duration of each time slot is set to be extremely short (e.g., $\tau =1$ s), so it is reasonable to consider that SGL handovers occur exclusively at time slot boundaries rather than within any time slot, as shown in Figure 2. In each time slot, the network is modeled as a directed graph $G\left(V,E\right)$, where $V=VS\cup VG$ denotes the total set of nodes, and $VS$ and $VG$ denote the set of satellite nodes and ground nodes, respectively. $E=ES\cup EG\cup ESG$ denotes the total set of links, and $ES$, $EG$, and $ESG$ denote the set of ISLs, fiber links, and SGLs, respectively. Following the typical grid-mesh pattern, each LEO satellite establishes four ISLs with adjacent satellites, including two intra-orbit ISLs and two inter-orbit ISLs. Ground nodes with GSs connect to visible LEO satellites via laser links. The bandwidth capacities (the number of wavelengths) of ISLs, fiber links, and SGLs are denoted by $WS$, $WG$, and $WSG$.

2.3. Service Model

In this paper, service $r$ is denoted by a quadruple $\left(s_r,d_r,A_r,D_r\right)$, where $s_r$ and $d_r$ denote the source and destination of service $r$. $A_r$ and $D_r$ denote the arrival instant (time slot) and duration (the number of time slots) of service $r$. When routing in the SGION, a service’s data typically undergo a cross-layer forwarding process. A typical end-to-end transmission path includes source ground node → source ground station → LEO satellites → multi-hop inter-satellite links → destination ground station → destination ground node, as depicted in Figure 1. Considering the eavesdropping threat inherent in this integrated space-ground network environment, this paper proposes a secure routing scheme tailored for heterogeneous multi-layer networks, which is illustrated in the next section.

3. The DMSR Scheme

In this section, the service eavesdropping ratio (SER) is first defined to quantify the severity of service data leakage. Then, the DMSR scheme is illustrated.

3.1. Service Eavesdropping Ratio

Quantifying the risk of eavesdropping is the first step to mitigating it in the SGION. Traditional binary models (secure/insecure) are too coarse to guide dynamic routing strategies. Therefore, we propose the SER metric, a continuous measure designed to quantify the severity of service data leakage from both temporal and probabilistic perspectives. The core idea is based on a risk exposure model: the longer the service data is transmitted over a specific link, the higher the probability that an eavesdropper lurking on that link can successfully intercept it. This probability depends on both the link’s inherent vulnerability (i.e., its eavesdropping probability $p_{(i,j)}$) and the relative exposure time of the service on that link. We first define the fundamental risk unit for service $r$ on a single link $(i,j)$. If service $r$ is transmitted over a single link, i.e., the routing path of $r$ only contains one link, the SER of $r$ on link $(i,j)$ is defined as Equation (1), where $p_{(i,j)}$ denotes the eavesdropping probability of link $(i,j)$, $D_r^{(i,j)}$ denotes the period when service $r$ is transmitted over link $(i,j)$, and $D_r$ denotes the duration of service $r$. Note that the eavesdropping probability of a link is not a classic probability of a single event, but rather a risk coefficient per unit time. It encapsulates the time-independent vulnerability of the link, stemming from factors like its physical signal strength, geographical location, and the effectiveness of potential eavesdropping equipment in its vicinity. The term $D_r^{(i,j)}/D_r$ quantifies the fraction of the service’s total lifetime during which it is exposed on this specific link. This equation represents the proportion of service data deemed compromised due to transmission over this link.

$${SER}_r^{(i,j)}={\displaystyle \frac{p_{(i,j)}\times D_r^{(i,j)}}{D_r}}$$

(1)

For an end-to-end path, we model it as a series system in risk analysis. In this model, a successful eavesdropping attack on any single link along the path compromises the entire service. Consequently, the total risk of the path is the sum of the risks of its constituent links. Thus, the SER of a service on a path is defined as Equation (2), where $path$ is the set of links constituting the routing path of $r$. This value represents the overall exposure risk of choosing this path for end-to-end transmission.

$$SE{R}_r^{path}={\displaystyle \sum _{(i,j)\in path}SE{R}_r^{(i,j)}}={\displaystyle \sum _{(i,j)\in path}\frac{p_{(i,j)}\times D_r^{(i,j)}}{D_r}}$$

(2)

When a service is transmitted over multiple paths (i.e., dynamic path switching), an eavesdropper may choose to monitor any one of them. Under a worst-case security assumption, we posit that the eavesdropper can always target the most vulnerable path (the one with the highest SER). Therefore, the overall SER for the service is determined by the maximum SER among all paths used, as given in Equation (3), where $Paths$ denotes the set of paths over which the service $r$ is transmitted.

$$SE{R}_r=\underset{path\in Paths}{\max }\left\{SE{R}_r^{path}\right\}$$

(3)

3.2. DMSR

The objective of the DMSR scheme is to reduce the service’s SER by switching the routing path frequently. The objective function is formulated as Equation (4), where $R$ denotes the set of services, $SE{R}_r$ denotes the SER of service $r$.

$$\mathrm{Minimize}\left\{SE{R}_r\right\}$$

(4)

To further illustrate the DMSR scheme, four routing strategies for a service $r$ are shown in Figure 3a–d. Service $r$’s source and destination are G₁ and G₄, and its arrival time and departure time are 0s and 10s, respectively. Strategy 1 exclusively utilizes ground nodes for relaying and maintains a fixed path {G₁, G₃, G₄}. Strategy 2 solely employs satellite nodes for relaying and maintains a fixed path {G₁, S₄, S₅, S₆, G₄}. At t = 5 s, Strategy 3 performs complete path switching from {G₁, G₃, G₄} to {G₁, S₄, S₅, S₆, G₄}, while Strategy 4 executes partial path switching from {G₁, G₃, G₄} to {G₁, G₃, G₂, G₄}. For ease of illustration, we assume an eavesdropping probability of 0.1 for each link. According to Equations (1)–(3), service $r$’s SER in Strategy 1 is 0.1 × 1 + 0.1 × 1 = 0.2, the service $r$’s SER in Strategy 2 is 0.1 × 1 + 0.1 × 1 + 0.1 × 1 + 0.1 × 1 = 0.4, the service $r$’s SER in Strategy 3 is Max{0.1 × 0.5 + 0.1 × 0.5, 0.1 × 0.5 + 0.1 × 0.5 + 0.1 × 0.5 + 0.1 × 0.5} = 0.2, and the service $r$’s SER in Strategy 4 is Max{0.1 × 0.5 + 0.1 × 0.5, 0.1 × 0.5 + 0.1 × 0.5 + 0.1 × 0.5} = 0.15. Based on the above calculation, we find that different routing strategy has totally different SER. Further, comparison between Strategy 1 and Strategy 2 reveals that longer paths (higher hop counts) yield greater SER. Consequently, path selection should prioritize shorter routes. Comparing Strategy 1 and Strategy 4 confirms that routing path switching can effectively reduce SER. However, this benefit is not universal. Though implementing path switching, Strategy 3 maintains identical SER to Strategy 1. This equivalence occurs because Strategy 3’s longer path negates the transmission-time reduction gained from path switching. Although path switching can reduce SER, it introduces computational/signaling overhead and delay jitter. Consequently, unlimited switching frequency proves unsustainable. In practical applications, we must constrain the number of paths switching to balance anti-eavesdropping gains against network operational costs.

4. Heuristic Algorithms

In this section, heuristic algorithms are developed to realize the DMSR scheme, as given in Algorithms 1–3. Specifically, Algorithm 1 is the overall algorithm based on Algorithms 2 and 3, and Algorithms 2 and 3 are used to determine the routing path in the TON and SGION, respectively.

Algorithm 1: Dynamic Multipath Secure Routing (DMSR)

Input: TON topology $G(VG,EG)$, SGION topology $SG(V,E)$, service request $r$, the number of service path switches $n$, the number of the shortest paths $k$;

Output: the set of routing paths $Paths$, the set of path switching instants $ST$;

1: Initialize: $Paths\leftarrow \varnothing$, $ST\leftarrow \varnothing$, $t\leftarrow A_r$;

2: Calculate the path switching time interval $\Delta t=D_r/\left(n+1\right)$;

3: Call Algorithm 2 to obtain the routing path $p_t^{GON}$ at time slot $t$ in the TON;

4: if $p_t^{GON}\ne \varnothing$ then

5:  Add $p_t^{GON}$ and $t$ to $Paths$ and $ST$, respectively;

6:  $t\leftarrow t+\Delta t$;

7: else

8:  Call Algorithm 3 to obtain the routing path $p_t^{SGION}$ and next path switching instant $t_{ns}$ in the SGION;

9:  if $p_t^{SGION}\ne \varnothing$ then

10:   Add $p_t^{SGION}$ and $t$ to $Paths$ and $ST$, respectively;

11:   $t\leftarrow t_{ns}$;

12:  else

13:   Block service $r$;

14:  end if

15: end if

16: while $t<A_r+D_r$ do

17:  Call Algorithm 2 to obtain the routing path $p_t^{GON}$ on the TON;

18:  if $p_t^{GON}\ne \varnothing$ then

19:   Add $p_t^{GON}$ and $t$ to $Paths$ and $ST$, respectively;

20:   $t\leftarrow t+\Delta t$;

21:  else

22:   Call Algorithm 3 to obtain the routing path $p_t^{SGION}$ and next path switching instant $t_{ns}$ in the SGION;

23:   if $p_t^{SGION}\ne \varnothing$ then

24:    Add $p_t^{SGION}$ and $t$ to $Paths$ and $ST$, respectively;

25:    $t\leftarrow t_{ns}$;

26:   else

27:    Block service $r$;

28:   end if

29:  end if

30: end while

31: return $Paths$, $ST$;

Algorithm 2: Routing Path Determination in the TON

Input: time slot $t_s$, TON topology $G(VG,EG)$ at time slot $t_s$, service request $r$, path switching time interval $\Delta t$, the number of the shortest paths $k$;

Output: routing path $p$ at time slot $t_s$;

1: Initialize: $p\leftarrow \varnothing$;

2: for $t=t_s$ to $t_s+\Delta t$ do

3:  for each link $(i,j)\in EG$ do

4:   if $w_{(i,j)}^{rem}\left(t\right)=0$ then

5:    Remove link $(i,j)$ from $G$;

6:   end if

7:  end for

8: end for

9: Use the KSP algorithm to search the $k$ shortest paths $Paths$ between $s_r$ and $d_r$ in graph $G$;

10: for each path $p\in Paths$ do

11:  Calculate the SER of service $r$, assuming its remaining data is fully transmitted through path $p$;

12: end for

13: Obtain the path with the minimum SER in $Paths$ as $p$;

14: return $p$;

Algorithm 3: Routing Path Determination in the SGION

Input: time slot $t_s$, SGION topology $SG(V,E)$ at time slot $t_s$, service request $r$, path switching time interval $\Delta t$, the number of the shortest paths $k$;

Output: routing path $p$ at time slot $t_s$, next path switching instant $t_{ns}$;

1: Initialize: $p\leftarrow \varnothing$, $t_{ns}\leftarrow t_s+\Delta t$, $S{G}^{pre}\leftarrow SG$;

2: for $t=t_s$ to $t_{ns}$ do

3:  for each link $(i,j)\in E$ do

4:   if $w_{(i,j)}^{rem}\left(t\right)=0$ or $x_{(i,j)}(t)=0$ then

5:    Remove link $(i,j)$ from $SG$;

6:   end if

7:  end for

8:  if there is no path between $s_r$ and $d_r$ in graph $SG$ then

9:   $SG\leftarrow S{G}^{pre}$;

10:   $t_{ns}\leftarrow t$;

11:   break;

12:  else

13:   $S{G}^{pre}\leftarrow SG$;

14:  end if

15: end for

16: Use the KSP algorithm to search the $k$ shortest paths $Paths$ between $s_r$ and $d_r$ in graph $SG$;

17: for each path $p\in Paths$ do

18:  Calculate the SER of service $r$, assuming its remaining data is fully transmitted through path $p$;

19: end for

20: Obtain the path with the minimum SER in $Paths$ as $p$;

21: return $p$, $t_{ns}$;

Algorithm 1 is the main routine that coordinates path switching for a service request. When a service request arrives at the network, Algorithm 1 first searches for available paths in the TON. If no available path is found, it subsequently searches for available paths in the SGION. If no path is still found, the service will be blocked. The inputs of Algorithm 1 include two system parameters, which are the number of service path switches $n$ and the number of the shortest paths $k$. In our proposed DMSR scheme, the path of a service may undergo multiple switches to resist eavesdropping. Therefore, the outputs of Algorithm 1 are the set of routing paths for a service and the corresponding path switching instants. In Step 1, $t$ is initialized as an indicator to indicate when to carry out path switching. In Step 2, the service path switching time interval is calculated according to the service duration and the pre-set service path switching count. This is the default time interval between consecutive path switches. In Steps 3–15, the initial routing path $r$ is determined by calling Algorithm 2 and Algorithm 3 in order. Similarly, the routing paths of $r$ at subsequent time slots are obtained in Steps 16–30. Note that when calling Algorithm 3 for routing in the SGION, the resulting service path may contain intermittent SGLs. Consequently, the subsequent path switching instant for the service may vary and no longer adhere to the default interval. The while loop ensures that path switching occurs periodically or adaptively based on network conditions.

As illustrated above, Algorithm 2 is used to obtain the routing path in the TON. In Steps 2–8, the link wavelength resource availability is checked. For each time slot from $t_s$ to $t_s+\Delta t$, and for each link $(i,j)$ in the TON, the remaining wavelength resource $w_{(i,j)}^{rem}(t)$ is calculated. This calculation is based solely on services already established at time slot $t$ (future services are unpredictable). Specifically, $w_{(i,j)}^{rem}(t)$ is the total number of wavelengths on link $(i,j)$ minus the number allocated to active services at time slot $t$. Note that in this paper, we assume that each node (including satellite node and ground node) is capable of wavelength conversion. Therefore, we only consider the wavelength capacity constraint of the links and not the wavelength continuity constraint. If $w_{(i,j)}^{rem}(t)=0$ for any time slot in the interval, the link is removed from the graph $G$. This ensures that only links with continuous resource availability are considered. In Step 9, the $k$ shortest paths (KSP) algorithm is applied to the updated graph $G$ to find $k$ candidate paths between the source and the destination. In Steps 10–12, for each candidate path, the SER is computed according to Equation (3), assuming the service’s remaining data are fully transmitted through that path. Finally, the path with the minimum SER is obtained as the final routing path in the TON.

Algorithm 3 is proposed to determine the routing path in the SGION, accounting for dynamic topology and resource changes. Considering that the network topology and available wavelength resources vary over time, our proposed heuristic algorithms support dynamic adaptation of the actual path switching count based on real-time network conditions and link availability to reduce the service blocking rate. Consequently, the actual path switching instant may deviate from its pre-set value. Correspondingly, the outputs of Algorithm 2 include not only the routing path at time slot $t_s$ but also the next path switching instant $t_{ns}$. In Step 1, $S{G}^{pre}$ is initialized to store the network topology at the previous time slot as a fallback. In Steps 3–7, the link wavelength resource availability and link connectivity are checked. The link remaining wavelength resource calculation is similar to Algorithm 2. The link connectivity is obtained based on predictable satellite trajectories, and we use a binary variable $x_{(i,j)}(t)$ to denote whether link $(i,j)$ is connected at time slot $t$. For each time slot from $t_s$ to $t_{ns}$, and for each link $(i,j)$, if either $w_{(i,j)}^{rem}\left(t\right)=0$ or $x_{(i,j)}(t)=0$, the link is removed from graph $SG$. After updating $SG$, if no path exists between $s_r$ and $d_r$ at time slot $t$, the algorithm reverts to the last viable topology $S{G}^{pre}$ and sets $t_{ns}=t$. This forces an immediate path switching to avoid service disruption. Otherwise, $S{G}^{pre}$ is updated to the current $SG$. In Step 16, the KSP algorithm is employed to find $k$ candidate routing paths in the final $SG$. In Steps 17–19, the SER of $r$ on each path is calculated as Algorithm 2. Finally, the path with the minimum SER is selected as the final routing path in the SGION.

The time complexity of Algorithm 2 is $O\left(D_r\left|EG\right|+k\left|VG\right|\left(\left|EG\right|+\left|VG\right|\log \left|VG\right|\right)\right)$, where $\left|VG\right|$ and $\left|EG\right|$ denote the number of nodes and links in the TON, respectively. The time complexity of Algorithm 3 is $O\left(D_r{\left|V\right|}^2+k\left|V\right|\left(\left|E\right|+\left|V\right|\log \left|V\right|\right)\right)$, where $\left|V\right|$ and $\left|E\right|$ denote the number of nodes and links in the SGION, respectively. Based on the time complexities of Algorithms 2 and 3, the time complexity of Algorithm 1 is $O\left(n\left(D_r{\left|V\right|}^2+k\left|V\right|\left(\left|E\right|+\left|V\right|\log \left|V\right|\right)\right)\right)$.

5. Performance Evaluation

In this section, the performance of the DMSR scheme that is realized by our proposed heuristic algorithms is evaluated by extensive simulations.

5.1. Simulation Setup

In this paper, the Iridium constellation and the terrestrial network NSFNET are used to construct the SON and TON, respectively. Specifically, Iridium is a Walker Star constellation with 6 orbit planes and 11 satellites per orbit plane, and its orbit altitude and inclination are 780 km and 86.4°, respectively. NSFNET is a ground network connecting U.S. supercomputers and universities with 14 nodes and 21 links. Also, each ground node is configured with a GS to establish SGLs with visible satellites. The Poisson process is employed to simulate the dynamic arrival process of service requests with an arrival rate $\lambda$ = 1 new arrival per second. The duration of services follows the exponential distribution with the service rate $\mu$ = 1/100 to 1/700 to simulate different network load conditions. The source and destination of each service request are randomly selected from ground nodes. All simulation parameters are summarized in

Table 1. Simulation parameters.

SON (Iridium)
Number of orbital planes	6
Number of satellites per orbital plane	11
Orbit altitude	780 km
Orbit inclination	86.4°
Phase factor	0
Minimum elevation angle	8.2°
ISLL capacity	8 × 12.5 Gbps
TON (NSFNET)
Number of nodes	14
Number of fiber links	21
Fiber link capacity	16 × 12.5 Gbps
SGL capacity	4 × 12.5 Gbps
Service requests
Source\Destination	Ground nodes
Arrival rate $\lambda$	1/s
Service rate $\mu$	1/[100, 700]
Other parameters
Link eavesdropping probability	0.1/[0, 1]
Simulation period $T$	1000 s
Time slot length $\tau$	1 s

. To avoid randomness in results, each simulation is run 5 times, and the average outcomes are obtained.

5.2. Influence of System Parameters

As illustrated in Algorithm 1, the performance of our proposed DMSR algorithm is influenced by two system parameters, which are the number of service path switches $n$ and the number of shortest paths $k$. To further evaluate the impact of $n$ and $k$ on algorithm performance, extensive simulations are conducted to obtain the service blocking rate, average service path switching count, average SER, and average band utilization of the DMSR algorithm with different system parameters under light ($\mu$ = 1/100), medium ($\mu$ = 1/300), and heavy ($\mu$ = 1/700) network loads. In addition, to compare the routing computation time overhead and QoS metrics under different system parameter configurations for the DMSR scheme, we simulated the average routing computation time, average service latency, and average latency jitter under a light network load. In this scenario, the service blocking rate was zero for all parameter sets, allowing for a fair comparison.

Figure 4 shows the performance of the DMSR algorithm with different system parameters under light network load ($\mu$ = 1/100). Since the network load is very light, the service blocking rates of the DMSR algorithm with different system parameters are identical and equal to 0, as shown in Figure 4a. As shown in Figure 4b, with the increase in $n$, the average service path switching count also rises, which demonstrates that parameter $n$ can indeed control the service path switching frequency. In addition, the algorithm with different $k$ exhibits identical path switching counts, indicating that the system parameter $k$ does not affect service path switching frequency under light network load. In Figure 4c, when $n=0$, the algorithm with different $k$ exhibits identical average SER. When $n>1$, average SER decreases as $k$ increases. For example, when $n=2$, the average SER decreases from 0.22 to 0.08 as $k$ increases from 1 to 10. Moreover, when $n>1$, further increasing $n$ does not yield further reduction in SER. This occurs because the multiple shortest paths have many overlapped links. Consequently, additional path switching cannot further decrease the SER. In Figure 4d, when $k>1$, as $n$ increases, the band utilization first increases and then stabilizes. This indicates that once $n$ exceeds a certain value, its impact on band utilization becomes negligible. Additionally, when $n>1$, band utilization increases with increasing $k$. This occurs because larger $k$ provides more alternative paths for service switching. The DMSR algorithm will select longer routing paths for service path switching, which will consume more band resources and thereby increase band utilization. Note that under the light network load, the service blocking rate has already reached its minimum, so the increase in band utilization reflects greater consumption of band (wavelength) resources.

Figure 5 shows the performance of the DMSR algorithm under medium network load ($\mu$ = 1/300). In Figure 5a, when $n<2$, the service blocking rate changes significantly with increasing $n$, whereas when $n\ge 2$, further increases in $n$ have little impact on the blocking rate. For example, at $k=1$, as $n$ increases from 0 to 2, the blocking rate decreases by 4.88%, but only decreases by 0.05% when $n$ increases from 2 to 10. Notably, when $k$ is set to 3 to 10, as $n$ increases from 0 to 2, the blocking rate significantly increases. This occurs because the DMSR algorithm with larger $k$ will select longer paths for services, which will consume more band resources, thereby increasing the service blocking rate. On the other hand, when $n$ is fixed, the service blocking rate gradually increases with increasing $k$. For instance, at $n=4$, as $k$ increases from 1 to 10, the service blocking rate increases by 15.67%. The increase in service blocking rate is mainly due to larger $k$ leading to longer paths and greater band resource consumption. Figure 5b shows that when $n$ is fixed, as $k$ increases, the service path switching count gradually increases. For example, at $n=6$, as $k$ increases from 1 to 10, the service path switching count increases by 9.84%. The increase in service path switching frequency is attributed to larger $k$ providing more path selection options. In Figure 5c, as $n$ increases, the average SER decreases, especially when $n$ increases from 0 to 2. For example, at $k=2$, the service decreases by 0.16 as $n$ increases from 0 to 2, and by 0.03 when $n$ further increases from 2 to 10. For system parameter $k$, when $n\ge 2$, as $k$ increases, the SER significantly decreases, especially when $k$ increases from 1 to 2. For example, at $n=4$, as $k$ increases from 1 to 2, the SER decreases by 0.05; as $k$ further increases from 2 to 10, the SER only decreases by 0.03. Figure 5d shows that when $n\ge 2$, as $k$ increases, the band utilization decreases, and the band utilization of $k=1$ is significantly lower than other system parameter configurations. Note that the band utilization is consistent with the service blocking rate, demonstrating that the DMSR algorithm with larger $k$ will consume more band resources. To further evaluate the system parameters $n$ and $k$, simulations are conducted under heavy network load ($\mu$ = 1/700), and corresponding results are shown in Figure 6. Comparing Figure 5 and Figure 6, we can find that the simulation results under heavy network load are similar to those under medium network load.

Figure 7a,b present a comparison of the average routing computation time and QoS metrics for the DMSR scheme across different system parameter configurations under light network load ($\mu$ = 1/100). In Figure 7a, as $n$ increases, the average routing computation time also rises, and this growth becomes more pronounced with larger values of $k$. For example, when $k$ = 1, increasing $n$ from 0 to 10 leads to a 17.87% increase in the average routing computation time. In contrast, when $k$ = 10, increasing $n$ from 0 to 10 results in a much larger increase of 58.42%. This occurs because a larger $n$ leads to a higher average path switching frequency for services, necessitating more frequent routing computations, which in turn increases the computational time overhead. Furthermore, a larger $k$ amplifies this effect, as the increased number of route calculations requires significantly more time. As shown in Figure 7b, the trends of the average service latency and average service latency jitter are almost identical as $n$ and $k$ increase. When $k$ = 1, both the average service latency and the latency jitter remain nearly constant with the increase in $n$, staying at 7 ms and 0 ms, respectively. For other values of $k$, both the average latency and the latency jitter first increase sharply and then increase gradually or remain unchanged as $n$ grows. As $n$ increases, the average path switching frequency for services also rises, which leads to the selection of longer routing paths in the next path switching instant to maintain a lower SER and finally increase the average latency. The increase in the average latency jitter is a natural consequence of the increased number of path switches. In contrast, when $n$ remains constant, both the average service latency and latency jitter gradually increase with the increase in $k$. The reason is that as $k$ increases, longer and more diverse paths will be selected when the path needs to be switched.

According to results in Figure 4, Figure 5, Figure 6 and Figure 7, we can conclude that system parameters $n$ and $k$ will greatly impact the performance of the DMSR algorithm in terms of service blocking rate, path switching count, SER, band utilization, routing computation time, service latency, and service latency jitter. Generally, increasing $n$ and $k$ can reduce the SER, but at the cost of increasing the service blocking rate, the routing computation overhead, and the QoS metrics. Consequently, we need to set appropriate $n$ and $k$ to achieve a good trade-off among these key metrics. Further observation of Figure 5, Figure 6 and Figure 7 reveals that increasing $n$ beyond 2 and $k$ beyond 4 yields only marginal reductions in the SER. Additionally, the service blocking rate, average routing computation time, average service latency, and average latency jitter at $k=4$ remain relatively low. Consequently, we set $n=2$ and $k=4$ in subsequent simulations to obtain a balanced optimization among service blocking rate, SER, routing computation overhead, and QoS metrics.

5.3. Performance Comparison

To further evaluate the performance of our proposed DMSR scheme, the DMSR scheme is compared with three secure routing schemes of the shortest path routing (SPR) scheme, the eavesdropping-aware routing and wavelength allocation (EA-RWA) scheme [30], and the random routing (RAND) scheme [31], which are detailed as follows:

In the SPR scheme, service paths are determined by Dijkstra’s algorithm and will not switch until SGL handovers along the current path occur.

In the EA-RWA scheme, the KSP algorithm is first used to obtain $k$ shortest paths. Then, the SER of each path is calculated, and these $k$ paths are sorted in ascending order according to their SER values. Finally, the path with the minimum SER and sufficient resources is selected as the final routing path and will not switch until SGL handovers along the current path occur.

In the RAND scheme, each time a path switch occurs (including the initial routing path determination), one of the following methods—shortest path, Algorithm 2, or Algorithm 3—is randomly selected to determine the routing path. The routing path will not switch until SGL handovers along the current path occur.

First, the eavesdropping probability of each link is set to 0.1, and the simulation results are shown in Figure 8. Figure 8a shows that as traffic load increases, the service blocking rates of all four schemes gradually increase. Moreover, when the traffic load is <300, the service blocking rate of the DMSR scheme is lower than that of other schemes. Whereas when the traffic load is ≥300, the service blocking rate of DMSR becomes the highest. The reason for the increase in service blocking rate is that DMSR selects longer paths during service path switching to reduce SER, which consumes more band resources, thereby reducing the number of services that can be transmitted through the network. Figure 8b shows that as traffic load increases, the path switching count of DMSR gradually increases, whereas the path switching count of other schemes remains nearly constant. For DMSR, although we set the number of path switches $n$ to 2, the actual path switching count gradually increases with the increase in the traffic load. The actual path switching count gradually increases with the increase in the traffic load. This occurs because diminishing network bandwidth resources prompt the DMSR scheme to select paths with shorter remaining link durations for service path switches, thereby increasing the actual service path switching count. Furthermore, note that the service path switching count of the SPR scheme is not 0. The reason is that though the DMSR scheme does not proactively switch routing paths for services, it considers the path switching caused by SGL handovers with satellite-to-ground relative motions. Figure 8c shows that the SER of DMSR is significantly lower than that of other schemes. For example, at the traffic load = 400 Erlang, compared to SPR, ES-RWA, and RAND, the SER of DMSR is reduced by 55.43%, 58.06%, and 56.21%, respectively. At the traffic load = 700 Erlang, compared to SPR, ES-RWA, and RAND, the SER of DMSR is reduced by 55.69%, 61.19%, and 60.22%, respectively. The decrease in the SER demonstrates that DMSR can indeed reduce the SER compared to other schemes. Figure 8d shows that the band utilization of DMSR is significantly higher than that of other schemes, especially when the traffic load is heavy. For instance, at the traffic load = 100 Erlang, compared to SPR, ES-RWA, and RAND, the band utilization of DMSR is improved by 3.7%, 2%, and 2.59%, respectively. At the traffic load = 400 Erlang, compared to SPR, ES-RWA, and RAND, the band utilization of DMSR is improved by 9.35%, 6.35%, and 5.72%, respectively. Note that when the traffic load ≥ 300 Erlang, the service blocking rate of DMSR is higher than that of other schemes, which demonstrates that DMSR will consume more band resources. Figure 8e shows that the routing computation overhead of DMSR is higher than that of other schemes, especially when the traffic load is heavy. For example, when the traffic load is 700 Erlang, compared to SPR, ES-RWA, and RAND, the average routing time of DMSR is increased by 228.85%, 139.2%, and 115.11%, respectively. This is because DMSR proactively switches service paths to reduce the SER. This proactive path switching increases the number of routing computations, thus leading to greater time overhead. By comparison, SPR involves the fewest service path switches and thus the fewest path computations, leading to the smallest time overhead. Figure 8f shows that when the traffic load ≥300 Erlang, the average service latency of DMSR is higher than that of other schemes. This is because, in DMSR, as the number of path switches for a given service increases, longer paths are selected during each switch to achieve a lower SER, thus leading to an increase in service latency. Figure 8f also shows that DMSR consistently exhibits the highest latency jitter. This higher jitter is caused by the increased number of service path switches inherent to DMSR.

To further evaluate the performance of DMSR, we rerun simulations with the eavesdropping probability of each link being set to random values uniformly distributed over [0, 1], and present the results in Figure 9. We can find that the results in Figure 9 are very similar to the results in Figure 8. Specifically, compared to the other three schemes, the DMSR scheme has a higher service blocking rate, path switching count, band utilization, routing computation time, service latency, service latency jitter, and significantly lower SER.

Based on the results in Figure 8 and Figure 9, we can conclude that DMSR effectively reduces SER, albeit at the cost of increased service blocking rate, routing computation overhead, service latency, and latency jitter. We argue that a certain degree of degradation in network performance is a necessary and justified sacrifice to ensure secure (anti-eavesdropping) service transmission. In addition, in our proposed DMSR scheme, system parameters $n$ and $k$ can be adjusted according to practical requirements to strike a balance between service security and network performance, demonstrating the flexibility of the DMSR scheme.

6. Discussion

The DMSR scheme proposed in this paper attempts to resist eavesdropping through proactive service path switching. However, the scheme still has some limitations. First, the DMSR scheme only considers eavesdropping on links while overlooking potential eavesdropping on nodes. In fact, eavesdroppers can obtain service data by intercepting communications at either satellite or ground nodes. Second, physical attributes such as link signal-to-noise ratio (SNR) are not taken into account, even though link capacity and the service leakage severity are closely related to these characteristics. Therefore, we will further consider eavesdropping on nodes and eavesdropping-related physical characteristics to establish a more accurate eavesdropping model in our subsequent research. Moreover, our simulation setup relies on fixed or uniformly distributed eavesdropping probabilities (e.g., 0.1 or random in [0, 1]), which may not fully capture the dynamics of real-world attacks. In practice, eavesdropping probabilities could vary based on physical-layer factors like signal strength, antenna gain, or environmental conditions. While this simplification allowed us to focus on the routing mechanism’s efficacy, future work should integrate more realistic adversarial models, such as those incorporating SNR-based metrics or machine learning-driven attack patterns, to enhance the credibility of the evaluation. In addition, simulation results indicate that although frequent service path switching can reduce the SER, it leads to an increase in the service blocking rate, which consequently limits network capacity. In our subsequent work, we will try to introduce some traditional encryption methods to the DMSR scheme to mitigate the risk of service data leakage while maintaining a low service blocking rate.

7. Conclusions

This paper proposes a secure routing scheme called DMSR to resist eavesdropping attacks during service transmission in the SGION. In DMSR, we first define the SER metric to quantify the service leakage severity. Then, the objective of DMSR is to reduce each service’s SER by switching the routing path frequently. To realize DMSR, heuristic algorithms are developed to sequentially search for optimal routing paths for service path switching in the TON and then in the SGION. To evaluate the performance of DMSR, we first evaluate the impact of the system parameters. Then, DMSR is compared with three baseline schemes of SPR, EA-RWA, and RAND. Simulation results demonstrate that DMSR can achieve trade-offs between secure service transmission and network performance at different levels by adjusting its system parameters. Furthermore, compared to the baseline schemes, DMSR significantly reduces the SER, albeit at the expense of increased computational overhead and service latency.