Semantic-Aware Anomaly Detection for Satellite-IoT Networks: A Lightweight Transformer-Based Approach

Authors: Park Junbeom, Park Jongsou and Yoon Zizung

Satellite-IoT networks are increasingly deployed in mission-critical domains such as disaster response, military communications, maritime surveillance, and remote sensing. However, their heterogeneous architectures and resource-constrained nodes expose them to sophisticated cyber threats that exploit semantic dependencies across structured packet fields. Traditional intrusion detection systems (IDS) often fail to capture such dependencies, particularly when packet fields are missing or incomplete. To address this challenge, we propose a lightweight anomaly detection approach based on DistilBERT—a compact Transformer-based language model fine-tuned to classify sentence-based representations of structured Satellite-IoT packets. The adopted sentence-based representation preserves inter-field dependencies and contextual semantics while supporting efficient processing in resource-constrained Satellite-IoT environments. A scenario-driven dataset was constructed to support this approach, incorporating 15 protocol- and security-aware fields derived from realistic communication flows. It includes three attack categories (Injection, Replay, and Privilege Abuse) and a normal class, simulating diverse traffic conditions observed in operational Satellite-IoT environments. Experimental evaluations confirm that the proposed model accurately detects semantic anomalies under both complete and missing-field conditions, achieving 99.0% accuracy and 98.9% F1-score. These results demonstrate the feasibility of applying a lightweight large language model (LLM) for semantic packet analysis in space communication systems and contribute to interpretable, context-aware intrusion detection in next-generation Satellite-IoT architectures.