Threat analysis for space information network based on network security attributes: a review

Space Information Network (SIN) is a multi-purpose heterogeneous network. Due to the large-scale of SIN, its secure and stable operation is vulnerable to various threats. Much of current threat analysis for SIN is based on the network function or architecture. However, this approach cannot clearly divide the relation between threats and secure communication measures for a highly integrated network. Furthermore, it will lead to overlapping in segregation of secure duties. This paper presents a comprehensive review of threats and corresponding solutions in SIN from the perspective of network security attributes. In order to make the analysis applicable to more scenarios, the following three most essential attributes, confidentiality, integrity and availability, are selected as the threatened objectives. At the same time, for cross-reference with the analysis based on network function or architecture, this paper relates network layers to network security attributes through secure communication mechanisms. Specifically, the confidentiality includes confidential information-exchange and Authentication and Key Agreement (AKA), the integrity includes information identification and information restoration, and the availability includes link establishment, routing mechanism, and mobility management. According to above framework, this paper provides a cross-layer perspective for analyzing threat and enhancing the security and stability of SIN. Finally, this paper concludes with a summary of challenges and future work in SIN.


Introduction
The scale of the Space Information Network (SIN) is growing at an accelerated rate due to advancements in communication technologies and the growth of space networks. As a deep integration network, SIN consists of space networks, aerial networks and terrestrial devices [1]. It integrates most 1 network resources and carries a variety of communication services. In order to improve scalability and compatibility of SIN, the current development of SIN can be divided into two directions. One of the directions is the earth orbit satellite network, which has been in development for as long as the Internet [2]. Benefiting from lower launch costs of the satellite [3], satellite networks today are moving towards the Ultra-Dense Low Earth Orbit (LEO) satellite constellation. At present, approximately 75% of satellites in earth orbit currently are LEO satellites [4]. Ultra-dense LEO satellite constellations have greatly enhanced coverage and communication capacity compared with previous satellite networks. They can combine with other networks to form a large-scale integrated network and fully exploit their role in various fields such as maritime monitoring [5], search and rescue [6], industrial Internet of Things (IoT) [7] and military command systems [8]. Due to the human exploration of the space, another development direction is the interplanetary relay network, which can provide stable and reliable communication links in the deep space [9]. The deep space communication ensures continuous connection between the Earth control center and the space mission site during exploration, allowing control commands and experimental data to be transmitted promptly. In addition, the rise of multi-antenna technologies, artificial intelligence and blockchain has brought new development prospects for SIN. Especially for the space part, there are many opportunities and challenges in content distribution, edge computing, collaborative tasks and processing space-native data [10].
The multi-purpose characteristic of SIN equips wider range of services with new application scenarios, but security issues in a large integrated network also become more complex. On the one hand, information resources are under serious threats. The openness of wireless channels can expose the transmitted data to wiretap, forgery and interference. Furthermore, due to the increase in the number of users, there is a massive amount of privacy. The problem of privacy leakage has also become a major concern of users. On the other hand, it will be more difficult to ensure the stability of network system operation. The deeper the network integration, the more factors need to be considered for the system's stable operation. Firstly, with a lot of mobile devices connected to SIN, authority and resource management must be addressed to guarantee security and Quality of Service (QoS). Secondly, the multi-purpose network needs to face the problem of heterogeneity among subnets. The optimization of the architecture and protocols among heterogeneous networks is vital to the stable communication.
In order to ensure the secure and stable operation of SIN, comprehensively analyzing threats to network systems is crucial. Generally, threat analysis for a simple network is mainly based on the network architecture or function. However, the complex network environment and service function lead to ambiguous segregation of secure duties among different layers. It is challenging to holistically confront threats according to the analysis based on network layers. In another alternative, network security attributes are fundamental elements in network security situation assessment. Therefore, this paper attempts to analyze threats in SIN based on network security attributes and summarizes the countermeasures against threats. In order to make the result of this work applicable to more scenarios, the paper selects the three most essential attributes, confidentiality, integrity and availability, as threatened objective. This method can better help designers analyze security requirements from a system perspective and provide a clear view of the secure duties segregation.
The main contributions of this paper include the following: 1. Construct a research framework under security attribute and introduce the correspondence between network architecture and network security attributes. In this paper, network security functions are classified according to the security attributes they maintain, and these functions are grouped into different secure communication mechanisms. This forms the research framework of this paper, which cuts into the threat analysis of SIN from the perspective of security attributes. The threat analysis, countermeasure, and challenges and future work follow this framework to open a new perspective for the reader. In addition to the threat analysis based on network security attributes is more systematic than the analysis based on layer or function, this paper still regards the better understanding of the threat generation and correlation between analysis works as important. Through the security communication mechanisms in SIN, the relation between network layers and attributes can be built. In this way, readers can both use this paper to gain a systematic understanding about threats and find cross-layer solutions, and use the established relations to retrieve research in specific areas from other articles.

Analyze threats of SIN based on network security attributes.
From the perspective of security attributes, this paper analyzes threats to SIN systematically. Threats to confidentiality includes information leakage and unauthorized access. Threats to integrity involves deception, tampering and destruction during information storage and forwarding. In the impact on availability, the link establishment is affected by unbalanced resources allocation, inflexible transmission mechanisms and incompatibility between heterogeneous networks. After establishing links between nodes, the routing mechanism needs to confront constellation structure destruction, routing information deception and logical connection mutation. Moreover, threats to mobility management involve network system overload, inefficient handover strategies, and inflexible forwarding strategies.
3. Summarize countermeasures against each threat. This paper also categorizes and summarizes recent research findings to solve threats to SIN. For confidentiality, the solutions against threats to the confidential informationexchange are mainly anti-leakage mechanisms in different layers. The enhancements for Authentication and Key Agreement (AKA) are mainly from access authentication protocols, key management protocols and privacypreserving strategies. For integrity, the information identification can be strengthened by modification detection, source authentication and physical feature identification. The information restoration can be strengthened by anti-jamming and recovery. For availability, the countermeasures in the link establishment involve the resource allocation of physical links, the transmission mechanisms of logic links and the integration of heterogeneous networks, which can stabilize links. The countermeasures in the routing mechanism focuses on constellation design, routing scheme, and routing paths monitoring, which can enhance network survivability. The solutions in mobility management optimize the location and handover management.

Elaborate challenges and potential research directions.
According to the content of the threat analysis in SIN, this paper presents technical challenges for confidentiality, integrity and availability, and provides references for the future work.
The rest of this paper is organized as follows: "Preliminaries" introduces the model structure of SIN and prior related works. The research framework under network security attribute and the correspondence between the network hierarchy and network security attributes in the threat analysis is given. In "Threat analysis based on network security attributes", threats to SIN are analyzed based on network security attributes. "Solutions to threats of Space Information Network" summarizes corresponding solutions to threats mentioned in the previous section. "Challenges and future work" then provides challenges and directions for the future research in SIN. Finally, "Conclusion" concludes this paper. To improve the guidance, we provide the structure of the paper in Fig 1.

System model of Space Information Network
SIN is composed of terrestrial devices, aerial networks and space networks, and its model is shown in Fig. 2. Especially, SIN is a part of the space-ground integrated network [11]. Terrestrial devices consist of nodes on the ground and sea. Aerial networks consist of Low-Altitude Platforms (LAPs) and High-Altitude Platforms (HAPs) [12]. The main components of space networks are satellites, spacecraft and ground control centers. In detail, space networks comprise the near-Earth and deep space networks [13]. The near-Earth networks have various orbit heights. According to the mission requirement, satellites can be placed into low, medium, synchronous, or high Earth orbits, while orbits of deep space networks are more complex and diverse than those of the near-Earth networks [14,15].
Because SIN is a multi-purpose heterogeneous network, each part of it undertakes different functions. Terrestrial devices are mainly sensors and communication terminals used for environmental monitoring and instant messaging [16]. The aerial network can provide low-latency communication services [17] between terrestrial devices. At the same time, it can also serve as an access point which can assist terrestrial devices to access the space network [18] to integrate network resources and structure. The near-Earth network is the backbone of SIN. It not only needs to undertake tasks such as natural resource monitoring, navigation positioning, and cosmic observation, but also needs to establish links with other parts and forward data between heterogeneous networks [13]. The primary function of the deep space network is to establish a reliable link for interplanetary exploration missions and meet the requirement of high-latency communication [19].
The near-Earth network can be the backbone network of SIN because the current data and control center are on Earth. However, as technology develops and network infrastructure migrates to extraterrestrial planets, each planet will form its own network of near-ground satellite. Therefore, the deep space network will gradually become the new backbone of SIN, linking planets closely to each other.

Prior related work
In recent years, a lot of excellent surveys and reviews about SIN's threat attract the attention of researchers. These works attempt to analyze and solve the threats in the network from different perspectives. They paid more attention to a certain layer or a certain function and summarized the latest research results in detail. This part introduces the above works and compares these surveys with our work.
More specifically, the threat analysis based on the network architecture takes into account the security in different layers independently. When solving non-cross layer problems, it can accurately locate the critical reason. In the physical layer, Physical Layer Security (PLS) [20] plays a vital role in confronting threats. Sanenga et al. [21] introduced the difference between PLS and cryptographic schemes in wireless networks. Then, they provided a comprehensive overview of MIMO technologies and the latest PLS research in 5G and 6G communication. Wu   tiveness and complexity of anti-spoofing methods from the signal and data levels and summarized research directions in related fields. In addition, with the increase of the mobile devices' number, the availability of medium access and frame transmission is more dependent on the protocol in the datalink layer. Ferrer et al. [23] reviewed the ground-to-satellite Medium Access Control (MAC) protocols. The paper evaluated the performance of MAC protocols' quantitatively and qualitatively under the scenario of Nanosatellites with the Internet of Things (IoT). In the network layer, Yan et al. [24] analyzed the threat to the routing operation and summarized secure routing protocols from perspectives of cryptography, trust management and multipath methods. Darwish et al. [25] discussed the location management in LEO satellite networks. They analyzed advantages and disadvantages of three methods: Internet Engineering Task Force (IETF) mobility management, the locator/identifier split method, and the Software Defined Network-based (SDN) location management. For the transmission protocol of the transport layer, Wang et al. [26] summarized reliable data transmission protocols in Satellite-ground link SIN and compared the differences of mechanism and performance.
Furthermore, considering the complexity of SIN, the security assurance also depends on cross-layer strategies or network functions. Zhou et al. [27] analyzed the relation between threats and services in SIN. They compared the difference in secure routing protocols and anomaly detection methods between traditional technology and Artificial Intelligence (AI). In [28], Fourati et al. summarized the latest AI technologies to confront challenges in the satellite communication. Jiang et al. [29] surveyed the security problems and researches in SIN from handoff, transmission control, key management and routing. From the perspective of network function, this paper aimed to explain and formulate security issues and proposed a secure routing protocol based on intrusion detection.
The above surveys examine important aspects of threats to SIN, but a comprehensive discussion of the entire network system is still lacking. This observation prompts the writing of this paper to deeply discuss the threats in SIN, so as to ensure that this research covers the existing network systems. Therefore, we choose network security attribute as an entry point. This perspective can contain as many threats as possible to make the analysis more suitable for SIN's complex structures. Moreover, a broad review is necessary because SIN has recently started to gain momentum in both academia and industry. The analysis based on network security attribute can be compatible with more network structures and network functions. It has stronger scalability and portability. A comparison is summarized in Table 1 to point out the distinctive contribution of our review.
However, this paper still leaves something to be desired. Since our work covers almost all threats in SIN, we have had to streamline it while safeguarding that the analysis and countermeasures are not missed. Conversely, this results in the reader not being able to get more detail from this paper when delving into studying one of these areas. To address this issue, we establish a correspondence between security properties and network hierarchies in the next subsection. In this way, readers can both use this paper to gain a systematic understanding of threats and use the established cross-layer relations to retrieve research in specific areas.

Construction of the research framework
The selection of threatened objectives is important for establishing a clear relation. Due to the various network architectures and security attributes in SIN, threatened objectives need to be relevant to most networks. The selection of the network architecture refers to the system security requirements of the Consultative Committee for Space Data Systems (CCSDS) [30], which mainly considers threats in the physical, data-link, network, transport and application layers of the Open Systems Interconnection (OSI) model. When selecting network security attributes, this paper takes into account fundamentality and universality. Therefore, confidentiality, integrity and availability are more suitable for the work in this paper.
The above works focus on a single or certain network layers and pay little attention to the correlation among threats in different layers. However, a threat may affect many layers because of its complexity. When solving a threat, these works may not provide help from holistic perspectives. On the contrary, the analysis based on network security attributes can provide a cross-layer perspective for enhancing the countermeasure. Moreover, through layers' and attributes' relations with secure communication mechanisms, the connection between network layers and security attributes can also be established. The brief description of the relation is shown in Fig. 3. For the security of SIN, protecting information is a top priority. According to the forms of information, it can be divided into the signal, code, message and data levels. The physical layer generates the information at the signal and code levels. The data-link, network and transport layers encapsulate information into frames, packets and segments. These three types of information belong to the message level. The application layer generates the information at the data level. The security of information at all levels relies on confidential information-exchange, information identification and information restoration. Confidential information-exchange can be achieved by data encryption, coding and modulation as well as signal and antenna. Information identification includes signal identification and message authentication. Information restoration consists of data recovery and antiinterference. For the above secure communication mechanisms, the confidential information-exchange ensures the confidentiality, and information identification and restoration ensure the integrity.
In addition, the information transmission also needs to rely on secure communication mechanisms. The link establishment includes point-to-point physical links and end-to-end logical links. Physical links require power budget, frequency resources management and MAC protocol. Logical links need transmission mechanism, control and heterogeneous communication. Through improving protocols in the datalink and transport layers, links in SIN can be more stable. The routing mechanism at the network layer is a vital function to build a connection between physical and logical links. It consists of constellation structure, orbit adjustment and secure routing. These mechanisms can ensure availability of the reliable transmission.
Furthermore, devices joining a network also need to rely on AKA and mobility management. The operation of these mechanisms needs the participation of multiple layers. Identity authentication and authority management require AKA to ensure confidentiality. These functions include access authentication, key management and privacy protection. Handover scheme, location management and forwarding strategy require mobility management to ensure availability. In this way, we can construct a research framework of this paper in Fig 4. Subsequent sections will analyze the threats and countermeasures according to this framework.

Threat analysis based on network security attributes
This section analyzes SIN threats based on network security attributes. In the subsection of threats to confidentiality, it illustrates the threats' impact on the confidential information-exchange and AKA. The subsection of threats to integrity includes the threats' impact on the information identification and the information restoration. In the subsection of availability, threats related to the link establishment, the routing mechanism and the mobility management are discussed. The structure of this section is shown in Fig. 5.

Impact on confidential information exchange
Network undertakes the function of resource sharing and information transmission. These resources and information include user privacy and control commands. In the operation of SIN, these types of information face the theft from unauthorized attackers. Therefore, the confidential informationexchange is a crucial secure communication mechanism to ensure confidentiality. Traditional security measures mainly use the messages encryption. However, encryption cannot stop the attacker from obtaining physical signals in wireless network scenarios. Moreover, in the case of resource constrained, the security of the encryption algorithm also needs to strike a balance between computing resources and computational complexity. In response to aforementioned issues, this part will analyze threats from three perspectives: signal eavesdropping, encryption mechanism compromised, as well as resource and environmental constraints. The summary is described in Table 2.
First, the information collection under open channels can seriously threaten the confidentiality of SIN. In the spaceground communication, the signal in open channels is mostly propagated by broadcasting. With a large beam coverage, the attacker can capture the signal using the channel monitoring equipment [31]. An example of the signal eavesdropping is shown in Fig. 6. For the interstellar link, due to the fast movement of nodes and the high directivity of the beam, it is more challenging to monitor the communication between satellites. Especially for the satellite network with laser links, the risk of signal eavesdropping is lower. If wireless signals are captured, the attacker may gradually convert the information at the signal level into the code, message and data levels. This operation can provide raw information for launching other attacks. Pavur et al. demonstrated an attack in [32]. The experiment only used simple and cheap terrestrial signal reception equipment to collect data from Digital Video Broadcasting-Satellite (DVB-S) system through service providers' vulnerabilities and obtained several gigabytes of sensitive traffic containing user privacy in a few hours.
After attackers convert the collected ciphertext layer by layer, they can try to break the encryption to get the plaintext. Among methods for cracking encrypted messages, the brute-force attack [33] is the most straightforward one. This attack is very effective for breaking low-security encryption systems. It cracks ciphertext through powerful computing resources combining the dictionary attack. In addition to relying on powerful computing resources, side-channel attacks [34] can obtain relevant parameters of the secret key by collecting and analyzing changes in power consumption and electromagnetic leakage passively. Attackers can also actively launch differential fault analysis attacks [35] by introducing faults during system running, and secret key parameters can be inferred according to the system's feedback. After obtaining key parameters, the attacker can use them to decrypt the collected ciphertext. Moreover, some traditional encryption algorithms are not secure under quantum computing theory. Shor's algorithm [36] makes the asymmetric cryptosystem based on the problem of hidden subgroup in the cyclic group no longer reliable. Grover's algorithm [37] provides an efficient quantum search algorithm, which reduces the computational complexity of enumeration searches for secret keys. Thus, the system should carefully consider the secret key length of the symmetric cryptosystem. For the above reasons, quantum attacks [38] are worth being considered for threats to confidentiality.
Another type of threat is caused by the conflict between complex encryption mechanisms and constrained resources on mobile nodes. The current homomorphic encryption is a typical example. The relevant theory and the performance of the hardware limit its effectiveness in practical applications [39]. Since asymmetric cryptography requires many exponential calculations, it is not suitable as the main encryption algorithm for session messages. Symmetric cryptography requires network nodes to save session keys of all communication parties. For large-scale networks, the storage of session keys will consume a lot of storage space. Furthermore, encryption mechanisms' security and resource consumption need to be balanced according to the application scenario. Otherwise, under the dual influence of the high bit error rate and the avalanche effect in the space environment, very few bit errors in the ciphertext will lead to a large number of errors in the decrypted plaintext [40]. On the contrary, a weaker avalanche effect can cause poor randomness in the ciphertext and increase the risk of plaintext leakage. For instance, among anti-quantum cryptography schemes, lattice-based schemes allow the construction of efficient key exchange and public-key encryption schemes. When using Learning With Errors (LWE) or Ring LWE (RLWE) based encryption methods, the error distribution with a large vari-   Unable to make the encryption algorithm work at full capacity ance will bring better security, but it will also increase the probability of decryption failure [41].

Impact on authentication and key agreement
Ensuring the confidentiality of SIN not only needs to prevent the information theft, but also requires AKA to manage system authority. On the one hand, the security of the access operation primarily comprises three parts: mobile nodes, satellite nodes and ground stations. The access authentication should verify visitors' identities and protect users' privacy with the cooperation of three parts. On the other hand, the key agreement assigns secret keys to nodes and establishes context security during communication. System vulnerabil-ities are the main threat to AKA. The impact of threat is divided into identity impersonation, leakage of key-related information and revelation of privacy. The summary of this part is described in Table 3. During the access authentication, the attacker needs to exploit the vulnerability to obtain legitimate identities and authorities. The vulnerabilities are classified into the following three types based on their location: ground station vulnerability, access point vulnerability and mobile device vulnerability. Among them, 1. The ground station vulnerability is a breach for attackers to obtain authentication information stored in servers. The attacker can accomplish the authentication through the

Signal captured by eavesdroppers
Signal received by user Fig. 6 An example of the signal eavesdropping stolen information. The stolen-verifier attack is a typical threat on the ground station side [42]. With user-related information stolen from the verifier, the attacker can masquerade as a legitimate user. To launch the stolen-verifier attack, the privileged insider attack [43,44] can provide users' registration information on the server-side. This attack is a necessary part in undermining the confidentiality of the system. 2. For the vulnerabilities at the access point, attackers can use it to launch impersonation attacks [45]. They can disguise the malicious node as a relay node and replay or tamper with the forwarded messages. The communication contents of servers and mobile devices are under the attacker's control. 3. Attackers can also exploit the vulnerabilities of mobile device side to obtain their identity information. A more common threat is the stolen smart-card attack, which can obtain the information required for authentication [46]. With the help of the stolen information and password guessing attack [47], attackers can deceive the verification of the ground station.
Another threat to AKA is key-related information leakage. There are two main reasons for this threat as follows: poor key infrastructure and vulnerability in key management strategies. The server of the symmetric cryptosystem stores a large number of key-related data. If the direct secret key information, such as the secret key table, is exposed, all the information in the network will become open and transparent [48]. If the indirect secret key information is exposed, it will also allow an adversary to launch a stolen-verifier attack [42]. Compared with the symmetric cryptosystem, the asymmetric cryptosystem has a higher computational complexity and construction cost. The asymmetric cryptosystem was first introduced into the satellite network by Cruickshank in [49]. Since a large number of users, both Public Key Infrastructure (PKI) and Identity-Based Cryptosystems (IBC) based asymmetric cryptosystems require a trusted third party to manage public keys. This problem will make SIN suffer from high maintenance costs, and the signature of the public key will lead to identity leakage. Therefore, the asymmetric cryptosystem cannot be widely used in session encryption. Furthermore, vulnerabilities in key management strategies will seriously compromise perfect forward secrecy [50] and perfect backward secrecy [51]. If the protocol lacks the perfect forward secrecy, master and session keys will highly correlate [51]. To achieve perfect backward secrecy, the correlation between previous and future session keys need to be reduced. If the protocol lacks the perfect backward secrecy, the leakage of previous session keys will reduce the confidentiality of future session keys [52]. Especially in group key systems, key updating and revocation policies should be carefully considered. In addition, vulnerabilities in the key distribution operation can also lead to a man-in-the-middle attack on the system.
For the threat to the privacy, although sensitive data are transmitted under encryption, attackers are still interested in personal biometric information, position, property information or other privacy. They want to continuously collect the same user's information to obtain the strong relevant data. Especially in identity authentication, if the user always uses the same information in authentication, the attacker will deduce the privacy of user's identity and position [48]. This problem can make the user's anonymity lost. Furthermore, unlinkability requires that members in the network cannot distinguish the source of encryption messages [53]. If the system's unlinkability is lost, the attacker can continuously collect the information from the target user, then infer the content of the message according to the context relevance. Table 3 Threats to the authentication and key agreement Type of threat Cause of threat Impact of threat Identity impersonation Defects in authentication protocol design System authority will be obtained illegally Leakage of key-related information Complexity of key management and vulnerability of agreement protocol Higher maintenance costs and loss of confidentiality and integrity Revelation of privacy Frequent identity information submission Leakage of user identity, location and other related secret

Reassembly of transmission information Context prediction caused by linkability between information Falsified information cannot be identified
Forgery of transmission information Leakage of encryption mechanism or signal structure Forged information cannot be identified

Impact on information identification
The information transmitted in SIN is not difficult to collect by attackers [31]. Although the collected information may be unreadable for attackers, they can still exploit the information to deceive the information identification mechanism.
Through purposefully choosing or creating information, the attacker can induce nodes in the network to respond to fake messages. Therefore, the attackers' purpose is to exploit vulnerabilities to make the information identification mechanism unable to verify the source, freshness and authenticity of the fake information. In the following, the specific impact of such threats will be discussed. It involves the replay of transmission information, reassembly of transmission information and forgery of transmission information. The summary is described in Table 4.
The easiest attack to implement is the replay of transmission information. The attacker first compares the collected context to infer its content and function, then selects information purposefully and sends it to the network again. An example of this threat is shown in Fig. 7. For the attack at the message level, since the attacker does not modify the message, the message's format is the same as that of the normal message. Hence, this attack can avoid the check of non-time-sensitive and non-source-sensitive message authentication algorithms. Especially in the broadcast-based microwave communication network, attackers can obtain a large amount of authentication or control information. In this case, the replay of transmission information constantly threatens the security of SIN. For the attack at the signal level, the repeater jamming is used as a signal replay method [54]. The attacker can delay and gain the captured signal, then retransmit it [55] to accomplish the deception. For timing and navigation systems, if the victim receives the deception signal, services of position and time may have been affected. Although the information replay is simple to implement, its risk cannot be ignored.

Attack link Communication link
Checking the freshness and source of information is an effective way to avoid the replay attack. In contrast, the reassembly of transmission information [56] can have a more severe impact. Attackers can compare the collected messages to infer the packet's content and structure. With the help of these inferences, they can intercept and splice different messages or predict and edit the message's content [57]. As a result, the created fake messages can avoid the check of information identification. An example of this threat is shown in Fig. 8. For nodes ready to access SIN, an attacker can send the incorrect signaling information to them through the System Information Signaling (SIS) spoofing attack [58]. Because the SIS spoofing attack happens before the access authentication, using cryptographic methods to authenticate SIS is difficult. If the mobile node uses an incorrect SIS, it will consume the computing resources rather than interact with the ground station properly.  In addition, attackers can also attempt to forge information. Forgery of information is based on a breach of confidentiality and brings more difficulties to information identification. An example of this threat is shown in Fig. 9. At the message level, attackers can exploit vulnerabilities to construct the ciphertext. Under the framework of AES-GCM algorithm, if a node uses a repeated initialization vector during the encryption, the attacker can launch a misuse attack to reconstruct the secret key [59]. Thus, there is an opportunity for attackers to create a ciphertext without knowing the master key [60]. At the signal level, the mechanism of generated jamming is more sophisticated than that of repeating jamming. This attack constructs fake signals according to the target signal structure [61]. Affected by fake signals, victims will receive incorrect and indistinguishable information. In the Global Navigation Satellite System (GNSS), the induced spoofing attack gradually adjusts parameters of the spoofed signal so that the victim cannot be aware of the difference between the fake and true signals [62].

Impact on information restoration
Another requirement for integrity is to restore the corrupted information in transmission and storage. This mechanism is concerned with the readability and authenticity of information. In transmission, the destruction of readability threatens the signal receiving by adding interference to the wireless channel. The destruction of authenticity only threatens the information identification. If the system does not recognize the fake information, the information restoration will find and correct the stored fake information. The information in the storage state consists of critical records, configuration information or other secret data. The destruction of the authenticity is mainly implemented through unautho-rized information modification or information restoration compromise. The destruction of readability comes from the destruction of the data or data storage infrastructure. According to the state and the impact, this part will analyze the threats to information restoration from signal interference, storage data modification, and storage data destruction. The summary is described in Table 5.
The signal is the carrier of information in the physical environment, and a reliable channel environment is the most basic guarantee for signal propagation. However, the transmit power of the mobile node signal is constrained, which is too weak to be affected by interference [63]. Therefore, signal interference is more common and harmful than other integrity threats. An example of this threat is shown in Fig. 10. According to their generation, interferences can be divided into the intentional and unintentional [64]: 1. The intentional interference can be divided into the spoofing and blanket jamming [65,66]. Spoofing jamming has been mentioned in the information identification. The blanket jamming injects high-power interference signals to reduce the desired signal's Signal-Noise Ratio (SNR).
In the further subdivision of the blanket jamming, the spot jamming [67,68] needs to have the same transmission parameters with that of the desired signal. This interference can cause the loss of signal's symbols and carriers. The barrage jamming [67,69] only considers the interference frequency. It increases the Bit Error Rate (BER) within frequency band by spreading high-power interference. 2. The unintentional interference can be divided into environmental interference and radio frequency interference. Environmental interference is caused by fading and environmental noise [70]. During severe weather, the signal will be lost due to excessive fading [71]. Moreover, during the sun transit outage, solar radiation can seriously interfere with space-to-ground signals. And high-speed moving satellites also increase BER due to the large Doppler frequency offset [72]. In addition, the radio frequency interference cannot be ignored. With more and more wireless devices in the space network, signal frequencies are easier to overlap [73].
The storage data modification is also a serious threat to SIN. The data in the storage state includes the management and business information, which are related to the regular operation of various services and the decision of a huge integrated system. Malicious users can modify the management information stored in the server through system vulnerabilities. Therefore, they can forge fake identities or escalate their privileges. In addition, due to the high complexity, high cost, and high risk of the satellite system, its construction, maintenance and management will involve multiple parties. In order to conceal illegal operations, participants may use privileges to modify log files [74] to evade responsibility. For the security of the business information, financial and insurance industry data has exceptionally high requirements for integrity. If the customer's insurance contract, transaction data and other important information are modified, it will cause huge loss to both company and customer [75]. Compared with information modification, storage data destruction is easier to implement. 1. To cause data level damage, attackers need to exploit system vulnerabilities to invade the server and delete the contents. 2. Moreover, the physical damage to the network infrastructure can also make data unreadable. It can be non-manmade destruction caused by natural disasters. This threat is sudden and unpredictable. In this case, the damage caused to the centrally storage managed data is catastrophic and impossible to be recovered [75]. The man-made destruction has a more severe impact. It can not only destroy the physical infrastructure, but also launch high-altitude electromagnetic pulse attacks to disconnect the data center from the outside devices [76], stopping the system from backing up and transferring data.

Impact on link establishment
The link between communication nodes are the foundation of SIN. They consist of point-to-point physical links and end-to-end logical links. The establishment of the physical link relies on protocols of the physical and data-link layers.
In the physical layer, signal management is a crucial function for power budget to meet requirements of simultaneous access. In the data-link layer, the MAC protocol manages the constrained time-frequency resources and reduces the propagation delay [77]. End-to-end communication is supported by logical links. The reliability of logical links depends on the transport layer protocols which have flow control and congestion control mechanisms. In this part, threat's impacts on physical and logical links are discussed in terms of resource allocation and transmission mechanisms. In addition, the heterogeneous problem of SIN is also an important content of link establishment. The summary is described in Table 6.
In establishing physical links, threats mainly come from the unbalanced allocation and low utilization of resources. On the one hand, the channel environment is constantly changing due to the relative high-speed movement between nodes. Therefore, nodes need to adjust power budget and predict the beam switching in real-time. However, because the channel state changes fast [78], it is difficult to provide comprehensive and accurate information for resource allocation strategy. In this case, the node cannot reasonably allocate power and frequency resources. To make matters worse, when a prolonged eclipse occurs, the satellite will shut down some of the components to reserve enough power so that it can ensure entering the solar irradiation range again. This situation can cause widespread communication failures. On the other hand, with the increase in mobile devices, it is more difficult to coordinate the transmission of frames in wireless networks. Although there are three types of MAC protocols, they are not suitable for SIN. To be specific, the weakness of fixed assignment protocol is the constrained scalability, random access protocol will waste channel resources due to competition among devices, and hybrids protocol needs to analyze the complex network environment before allocating resources [23]. In addition, with MAC protocol defects, attackers can also deliberately create a large number of useless MAC frames and continuously send them to consume channel resources maliciously. In establishing logical links, paper [26] introduces the transmission protocol of SIN in detail. According to characteristics of these protocols, they can be divided into TCP-type and non-TCP-type protocols. The TCP-type protocol is designed based on the classic TCP protocol. The protocols' control mechanism or network infrastructure is modified to make improved protocols more suitable for SIN. Thus, the TCP-type protocol has high compatibility with network based on TCP/IP architecture. However, in the space environment, the control mechanism of TCP-type protocols is still not flexible enough. Specifically, TCP-type protocols must adjust the transmit window size after receiving the ACK message. The serious jitter in SIN leads to the instability of the Round-Trip Time (RTT) so that the transmit window size grows slowly even though the network is under a low capacity. Furthermore, this unstable channel state will also lead to the non-convergence of transmit window. Especially in the deep space communication, there is a serious packet loss problem [79]. Likewise, congestion control mechanisms also face similar problems. Due to the asymmetric bandwidth of the logical link [80], when traffic congestion occurs on the backward link with a smaller bandwidth, although the forward link has sufficient bandwidth resources, the congestion control mechanism should still reduce the size of the transmit window [81]. In addition, the Performance Enhancing Proxy (PEP) [82] was introduced to mitigate the impact of large RTT. Frustratingly, if users require to encrypt packets strictly, PEP will fail to take effect [83].
Another problem is related to non-TCP-type protocols designed for space links and deep space missions. These protocols still follow OSI, and CCSDS has built a relatively perfect protocol stack [30]. At present, researchers pay more attention to Bundle Protocol (BP) [84] and Licklider Transmission Protocol (LTP) [85]. It is used in the Delay-Tolerant Networking (DTN) architecture [86]. DTN improves transmission flexibility under unstable links by the store and forward mechanisms. However, the heterogeneous data format leads to the inability to directly switch data between networks with different protocols [87]. An example of heterogeneous protocol stack model in SIN is shown in Fig. 11. Although BP can solve the problem of data heterogeneity between DTN and traditional networks, some security services still cannot be deployed on DTN. For example, the PKI-certified public key needs to be accessed in a continuous network through a TCP-type protocol. Still, it cannot be implemented in an intermittent network such as DTN [88].
In addition to the heterogeneity of protocols, the heterogeneity of functions also poses a threat to transmission. Due to different network functions, the rate of their communication interface is not matched. Mismatched network transmission rates can cause link congestion. Moreover, communication between heterogeneous networks requires gateway nodes at the network boundary to convert data formats or match transmission rates. The capability of the gateway node is then tied to the bottleneck of network performance.

Impact on routing mechanism
The routing function of SIN is mainly undertaken by the space network. Although terrestrial and aerial devices can set up temporary networks, the routing mechanism of the temporary networks is not the focus of the analysis. This part focuses on analyzing threats to routing mechanisms in the space network. The routing mechanism is composed of the constellation structure and routing strategy. Because satellites are placed in fixed orbits, the physical topology of the space network changes periodically. When predicting changes in the network topology, the constellation structure is a vital calculation basis. At the same time, due to the high speed of space nodes, the routing strategy needs to consider the characteristics of the constellation structure to ensure the reliability of routing paths. In addition to ensuring network QoS [89], the routing strategy also needs to evaluate routing nodes' reputation. Due to the openness and mobility of SIN, the routing mechanism is subject to various threats [90]. The following part discusses impacts of constellation structure destruction, routing information deception, and logical connection mutation. The summary is briefly described in Table 7.
The constellation structure destruction aims to permanently destroy satellite nodes and change network's physical topology. This threat can make network links disconnected and unrepairable in a short term. According to the generation Missile Fig. 12 An example of the man-made constellation structure destruction of the threat, it can be divided into man-made and nonman-made destruction. The man-made destruction attacks the target node purposefully and actively. This attacks aims to reduce the connectivity of the network. Such attacks use ballistic missiles and laser weapons to destroy satellites physically [91,92]. And network's key nodes are more easily given priority as attack targets, thereby minimizing the availability of the network. An example of the attack is shown in Fig. 12. Non-man-made destruction is caused by environmental threats. Nodes are destroyed randomly. On the one hand, there is a risk of collision between overdense orbiters [93] and space debris [94]. Orbiters need to rely on orbital environment situational awareness techniques to avoid collision [95]. On the other hand, the high-energy electromagnetic radiation can cause malfunctions in spacecraft electronics, such as system shutdowns or power interruptions [27]. For the availability of the routing function, if destroyed nodes are not important and their number is small, the network can reconstruct the routing of the damaged topology. However, as the number of destroyed nodes increases, the distance between some adjacent satellites will exceed the communication range. Then, the network will be physically divided into multiple sub-networks and messages cannot be delivered between sub-networks.
The consequence of constellation structure destruction is a change in the physical topology, so this threat is easily The routing paths under black hole attack observable once it occurs. Unlike destroying satellites, the routing information deception is stealthier. Attackers only deceive member nodes by releasing fake topology information and do not destroy nodes physically. The routing information deception can be divided into routing node disguise [24] and logical network segmentation [91]. To implement routing node disguise, malicious nodes need to declare themselves as the best forwarding nodes by tampering with or forging routing information [24,96]. Thus, they can intercept or collect messages in the network. The black hole attack [97] and the wormhole attack [98] are two common node disguise attacks. Fig. 13 depicts an example of a black hole attack. Unlike routing node disguise, logical network segmentation does not require malicious nodes to receive messages. It only changes the reachability state in the routing table by sending deceptive routing information. This attack can split a network into multiple logically unconnected subnets. The routing information deception destroys the network's logical topology from reachability and connectivity.
In addition, the high-speed mobility of satellites leads to the frequent switching of network links, which may cause a mutation in the network's logical topology. The instability of the logical topology creates challenges for routing decisions. In this case, the frequent links switching will generate many ineffective routing information [99]. The mutation of the logical topology will also make the routing algorithm fail to converge. Therefore, packets may not be delivered to the destination address in time, and invalid message exchange will waste network resources. Especially under the polar orbit constellation model, the impact of this threat is more obvious. In high-latitude regions, the polar orbit distribution is dense and satellites in different orbits move faster relative to each other, so they cannot capture signals from other orbit' satellites [100]. This threat can result in the deterioration of the interstellar link state in a short time and the reduction in the connectivity of the logical topology.

Impact on mobility management
Unlike the situation in the terrestrial network, the relative movement between nodes always exists in SIN. In order to maintain continuous communication, lower-rank nodes need to switch access points in the higher-rank network constantly. When handover happens, mobility management needs to guarantee service availability and user privacy. Therefore, effective mobility management is required for switching access points. During the switching, threats to mobility management primarily affect request processing, handover strategy and data forwarding strategy. The remainder of this part will provide a detailed analysis of threats' impacts. Table 8 provides a brief summary of this section.
With the increase of SIN's purposes and the development of IoT technology, more and more devices can join SIN to enjoy convenient services. However, because of the growth in the number of devices, the network needs to handle more handover requests. This issue brings a massive challenge to SIN. For networks with poor scalability and low capacity, the heavy task of mobility management has become the primary threat to network failure. In hot spots, with a large number of mobile nodes frequently switching access points, massive signaling and outdated data will be generated [101,102]. Processing and storing the handover data are huge stress on network systems. Especially in the centralized network, once the service's processing capacity reaches the bottleneck, the entire network will face access failure [103]. In addition to the pressure caused by the handover request, the inefficient handover strategy will cause the intermittent interruption of network links and the loss of service data. This threat exacerbates the instability of network services. On the one hand, the unstable channel state brings external instability factors to the handover strategy. Due to the high-speed movement of the access point, the channel state will change rapidly [78], the delay jitter will become larger and BER will increase. These problems put forward higher reliability requirements for the handover strategy. On the other hand, the cumbersome handover operation leads to mobile devices cannot receive messages for a long time. The device failing to send or receive messages until the handover is completed. Due to security requirements, the design of the handover strategy is rigorous. However, the more secure the handover strategy is, the more channel resources the operation wastes. These requirements create a conflict between efficiency and security.
Moreover, due to the frequent switching of access points, the network edge topology also changes frequently. To ensure services' continuity and real-time, the flexibility of the forwarding strategy is crucial. Firstly, frequent changes of node's address will cause link instability, and outdated information in the routing table will lead to routing path nonconvergence [104]. Secondly, the design of the forwarding strategy will affect the efficiency of the routing algorithm. For example, the forwarding strategy in traditional mobile IP networks will cause the problem of the triangular routing, which makes the routing path redundant [105,106]. The example is shown in Fig. 14. These threats related to forwarding can cause the delay and loss of the data during transmission [107]. In particular, services with a large amount of data and high real-time requirements are particularly sensitive to changes in network topology. Once a wrong routing path occurs, a large amount of data cannot arrive in time, and the real-time service performance will be greatly affected.
The mobility management also involves user privacy security. The handover method based on identity and location requires the mobile node to upload the privacy related information to the server. The high frequency of handover and authentication exposes privacy to a greater risk of leakage [108]. Since this kind of threat has been described in detail in "Impact on authentication and key agreement", it will not be repeated in this part.

Solutions to threats of Space Information Network
To deal with threats mentioned in the previous section, this section summarizes the corresponding solutions. In the subsection on confidentiality, the confidential informationexchange presents techniques related to PLS and encryption algorithms. AKA covers strategies of identity authentication, key agreement and privacy protection. In the subsection on integrity, the information identification covers three aspects: modification detection, source authentication and physical feature identification. The information restoration introduces methods of anti-jamming and data backup. In the subsection on availability, the link establishment includes resource allocation for physical links, transmission mechanism for logical links and convergence of heterogeneous networks. The routing mechanism introduces methods of constellation design, routing strategy and routing paths monitoring. The mobility management presents research on location management and handover management. The main contents of this section are shown in Fig. 15.

Confidential information exchange
In SIN, threats to confidentiality mainly come from the nature of the transmission medium, the defect of the communication model and the vulnerability of the encryption mechanism. To ensure confidentiality, on the one hand, improving the encryption mechanism can prevent attackers from obtaining plaintext. At the same time, it is necessary to balance the security and the computational cost of algorithms. This protection is a higher-layer security method. On the other hand, eavesdropping under the open channel is common but dangerous. The confidentiality in information exchange can be strengthened according to PLS [20] proposed by Wyner. This protection is a lower-layer security method. According  Fig. 15 Methods to ensure the security of SIN to the above description, this part will summarize countermeasures from data, message levels and code, signal levels. The research summary is briefly described in Table 9.
The countermeasure at data and message levels prevents the leakage of plaintext. Confidentiality is mainly guaranteed by encryption algorithm enhancement and encryption mechanism optimization. In general, encryption algorithms can be divided into asymmetric encryption and symmetric encryption algorithms. Shen et al. [109] used the asymmetric encryption algorithm to realize a secure transmission of messages. This algorithm encrypts the address and payload using different keys, and satellite nodes can only obtain address information. The scheme also introduces a blockdesign-based key agreement method [110]. This method reduces the communication complexity in group key distribution. However, considering the computational complexity of asymmetric encryption algorithms, they are rarely directly applied in the session encryption of SIN. The computational efficiency of the symmetric encryption algorithm is more suitable for the communication system with frequent sessions. For image data in the SIN, Naim et al. [111] proposed an encryption algorithm based on the hyperchaotic system and the Josephus problem. The hyperchaotic system is used for the diffusion operation and the Josephus problem is used for the scrambling operation. This encryption algorithm reduces the possibility of obtaining image information and key-related parameters. In addition to enhancing encryption algorithms, steganography in cryptography can hide secret information in carriers. Thakkar et al. [112] used steganography to hide the data into video. This mechanism reduces the possibility of attackers discovering the hidden data. In the meantime, the scheme also encrypts the transmission data. As a result, confidentiality can be protected at two levels.
The protection at code and signal levels directly prevent eavesdropping under the open channel. PLS was originally proposed by Wyner [20] and defined secrecy capacity based on information theory. In the follow-up study, artificial noise [113] and beamforming [114] have been used to improve the secrecy capacity [115]. For the security scheme at the code level, Geng et al. [116] used the channel coding to maximize the channel difference between eavesdroppers and legitimate nodes. This scheme requires legitimate node pairs to generate a scrambling matrix using the Channel State Information (CSI). The scrambling matrix is used in the Low Density Parity Check (LDPC) encoding. Without the scrambling matrix, the eavesdropper can only receive the information with interference. In the signal modulation and demodulation stage, Luo et al. [117] proposed a dual-polar modulation scheme based on Constellation Rotation and Weighted Fractional Fourier Transform (CR-WFRFT). First, the spectrum distribution of signals processed by WFRFT is close to Gaussian distribution. The processed signal is difficult to be detected by eavesdroppers. Second, the random rotation of constel-lation points makes eavesdroppers impossible to crack the WFRFT order by order scanning, so it is difficult for an eavesdropper to demodulate the signal accurately. At the signal level, the artificial noise can add noise to the signal captured by eavesdroppers. Liu et al. [118] proposed a secure method through non-confidential user assistance. In this method, the ground station superimposes the confidential and non-confidential signal with hybrid-power factors. Thus, eavesdroppers cannot extract the confidential signal from mixed signal. The non-confidential user needs to forward the non-confidential signal to the confidential user. Confidential users can reconstruct the confidential signal after receiving both the non-confidential and mixed signals. Furthermore, in order to reduce unnecessary energy consumption, the definition of Secrecy Energy Efficiency (SEE) is proposed to balance the transmit power and the secrecy rate [119]. Lin et al. [120] studied a communication scheme based on the Rate-Splitting Multiple Access (RSMA). Through the successive convex approximation combined with the Taylor expansion method, the optimization problem that satisfies the secrecy rate constraint of the ground station, the transmit rate requirement of the cellular user and the transmit power budget of satellite and base station can be efficiently calculated. This scheme achieves both interferences to eavesdropping channels and maximum SEE for the ground station. These PLS methods and encryption algorithms can be applied at different levels to make a complementary protection selectively.

Authentication and key agreement
AKA provides functions such as identity authentication, key agreement and privacy protection for devices in SIN. It can prevent unauthorized network access and ensure that legitimate users can use network resources fairly. Since threats to AKA are mostly caused by system vulnerabilities, this part will summarize measures from three directions: authentication strategy, key management strategy and privacy protection strategy. The research summary is described in Table 10.
When a device establishes a primary connection with an access point, the system should authenticate the device to ensure that only legitimate users can use network resources. In order to improve the efficiency of roaming authentication, Yang et al. [121] proposed a scheme in which foreign satellites can authenticate roaming users through a group signature. Since the intermediate node can verify the signature of the roaming user, this scheme reduces the number of interactions for roaming authentication, and makes user's real identity only available to the home agent. In addition to the mutual authentication between the user equipment and the ground agent, verifying the access point's identity is also important for preventing deception attacks. Jedermann et al. [122] proposed an orbit characteristics-based satellite Authenticated devices need the key assigned to ensure the confidentiality and the integrity of the subsequent sessions.
The key agreement is another important task of the access authentication. Huang et al. [123] proposed an encryptionbased mutual authentication and key update (EMAKU) protocol for constellation nodes. This protocol can establish a secure inter-satellite channel through mutual authentication. Owing to the secure channel, even if satellites are not within the communication range of the ground station, they can still accomplish the key update under the ground station's control. With the development of the quantum computing, the cryptography based on the classical number theory assumption is no longer secure enough. Therefore, new cryptography schemes should be considered. The lattice-based cryptosystem cannot be cracked by quantum computing in polynomial time. It is an important encryption system in post-quantum cryptography. Guo et al. [124] designed a key exchange and authentication protocol based on RLWE. On the one hand, the key exchange protocol uses lattice-based cryptography to reduce the threat from quantum computing. On the other hand, this authentication protocol considers the latency caused by multiparty interaction among mobile nodes, satellite nodes and ground stations [125] and designs a two-part mutual authentication between the mobile node and the satellite node.
Users in SIN pay more attention to their privacy issues. In order to prevent the revelation of privacy, the authentication scheme needs to meet requirements of anonymity and unlinkability. Chen et al. [126] proposed a robust threeelement authentication protocol. It uses fuzzy extraction to obtain slightly different biological features, and resolves the contradiction between feature differences and the avalanche effect of the hash function. It can effectively prevent attackers from tracking information. Since biometrics cannot perfectly guarantee anonymity, two-factor authentication using passwords and smart cards becomes another viable option. Nitish et al. [127] proposed an enhanced anonymous authentication scheme based on smart card and dynamic identity. The scheme will change user's identity for each login to enhance anonymity. It can also overcome stolen smart-card attack and other problems caused by such attack. Liu et al. [128] provided a distributed anonymous authentication scheme, which uses the zero-knowledge-proof to ensure anonymity and unlinkability. At the same time, the scheme introduces Shamir's secret sharing to prevent collusion attacks launched by ground stations. To ensure the scheme's fairness, it uses blockchain to record the service status. In Internet of Drones, Nitish et al. [129] proposed a lightweight blockchain model for distributed authentication. No trusted ground station is needed for transaction validation. To ensure the anonymity of the user, a ring signature-based scheme is used to hide the sender's identity. And they provided four schemes for different scenarios.

Information identification
The information identification is a basic requirement of SIN. It includes the identification of freshness, source and feature. If attackers want to break the integrity by intercepting, reassembling and forging, they need to exploit the vulnerability of the information identification. To discover the information replay, the detection of freshness is very effective. This method is also the most common method in the information identification mechanism. However, reassembly and forgery of information is usually premised on breaking confidentiality. It is not easy to find an effective and universal protection method. For different scenarios, the information identification can strengthen the protection of integrity through modification detection, source authentication, and physical feature identification. The research summary is described in Table 11.
The digital signature is a common mean to strengthen modification detection. It can not only prevent the reassembly of signed messages, but also make messages non-repudiation. Maurich et al. [130] designed a data relay security protocol for the federated satellite system. The protocol uses a hop-by-hop validation and signature mechanism. When an intermediate node modifies a message, other nodes can discover the modification promptly. At the same time, the routing algorithm is a section of the message. Each node needs to select the next-hop node according to the routing algorithm chosen by the source node. In this case, the security of the routing path can also be guaranteed. To cope with manin-the-middle attack, key generation center compromised attack, and distributed denial of service attack in Industrial IoT devices, Wang et al. [131] proposed a pairing-free certificateless signature scheme based on blockchain and smart contract. The scheme can consume less computation and communication resources. However, the digital signature is based on the asymmetric cryptographic algorithm which has a high computational complexity. In SIN, the protocol cannot be widely deployed due to the frequent message transmission and the limited computing capacity. Similar to digital signatures, Message Authentication Code can also assure integrity. With the symmetric cryptographic algorithm, its computational complexity is relatively low. Hash-based Message Authentication Code (HMAC) and Cipher-based Message Authentication Code (CMAC) are recommended by CCSDS [132]. Timed Efficient Stream Loss-tolerant Authentication (TESLA) is a message authentication method based on Mes-sage Authentication Code [133]. Fernández-Hernández et al. [134] used it to improve the Navigation Message Authentication (NMA) mechanism of the Galileo system. It adds NMA to the I/NAV message frame. In the structure of message, the 'MAC-K section' is the field of authentication code and associated delayed key [135]. This scheme also designs a mechanism for cross-authentication between adjacent satellites and allows navigation messages to be verified without being connected to the ground station.
In addition, the modification detection can also integrate different cryptosystems depending on the scenario. By combining the symmetric and asymmetric cryptographic algorithms, Wu et al. [136] proposed an integrity protection scheme for the D2 navigation message in the BeiDou-II navigation system. It encrypts the group time authentication and Generator Polynomial of Spectrum Spreading Sequence (GPSSS) through the SM4 algorithm and inserts the ciphertext into consecutive subframes. The group time is used to compare with the Second Of Week (SOW) to verify messages' continuity. GPSSS is used to demodulate the Spread Spectrum Information (SSI) to obtain the authentication of the page time and the signature of the position. This scheme makes attacker difficult to obtain and modify information. At a higher level, users also face the attack from malicious Uniform Resource Locator (URL). Chiramdasu et al. [137] proposed a random forest-based malicious URL detection system. This system extracts lexical feature, URL feature and malicious keyword as the input attributes. And it uses information gain, gain ratio and Gini index to choose and streamline features. The system is able to quickly adapt to new attacks and eliminate the possibility of over-fitting experienced with traditional decision trees.
In face of integrity breaches caused by confidentiality compromise, the modification detection is difficult to achieve the desired effect. The information source authentication can circumvent the limitation of the modification detection. This kind of scheme is mainly based on PLS. For signaling information, the access point sends it to the node ready for access. Because the data format of signaling is public, the attacker has the opportunity to forge message. Fu et al. [58] proposed a scheme based on the signal's Doppler frequency shift and satellite orbit's information. It uses prior ephemeris and observed channel state to establish a binary hypothesis test to authenticate the source of SIS. Wang et al. [138] proposed a spread-spectrum code authentication based on binary phase hopping. The scheme adds pseudo-random phase hopping in signal modulation to improve signal security. Since the demodulation is associated with a pseudo-random code in the receiver, the receiver can authenticate the signal source. Moreover, this scheme does not change the signal structure, so there is no need to change the transmitter and receiver's hardware devices.
If the source of information cannot be certified accurately, nodes in the network can also identify malicious signals through statistical feature of signals. A sophisticated induced spoofing attack can adjust the fake signal parameters gradually to avoid the detection. To solve this threat, Wang et al. [62] described dynamic characteristics of the attack signal with the S-Curve-Bias (SCB) of the signal. This method can determine the deception signal according to the first derivative of SCB.

Information restoration
The information transmitted and stored in SIN is vulnerable to destruction and modification. At different information levels, solutions to this kind of threat are very different. Signal-level information restoration aims at reducing the impact of interference. For the data-level information, methods to resolve threats mainly restore the destroyed information through redundant backup. The following will introduce information restoration methods from aspects of anti-jamming and data backup. The research summary is described in Table 12.
In an open channel, the signal is easily affected by unintentional and intentional interferences. According to their modes, anti-jamming methods can be divided into interference avoidance and post-interference recovery. For interference avoidance, the device needs to estimate interference frequency band and direction by monitoring channel states. With the knowledge from the monitoring, the device adjusts signal transmission parameters to avoid the interference frequency band or stay away from the interference area. In order to detect interference promptly, Liu et al. [139] proposed a Long Short-Term Memory (LSTM) based jamming detection method for satellite communication. First, the model uses fixed-point search Myriad filtering to suppress the alpha-stable noise. Then, it predicts the signal with LSTM network and compares the predicted result with the received signal to detect the malicious signal. In addition, Chen et al. [140] studied the anti-jamming capability of the Satellite-enabled army Internet of Things (SaIoT) network. They used a Q-learning algorithm to improve the coalition formation game and proposed a distributed dynamic antijamming network. With the improved coalition formation game, the network can select the node least affected by the interference as the gateway to communicate with satellites. Therefore, the device can avoid the interference area.
The interference avoidance requires continuous channel detection and wider device distribution. This kind of method needs a high cost to deploy. In comparison, the post-interference recovery is more direct. It focuses on eliminating interference superimposed on the desired signal. If the prior information, such as the source signal's frequency band and channel state, is known, the interference can be removed by filtering. If there is no prior information, blind source separation [141] can be used to recover the original signal through the statistical information of mixed signal. To address the Continuous Wave Interference (CWI) problem of the Indian Regional Navigation Satellite System (IRNSS), Silva et al. [142] proposed a new method based on Variational Mode Decomposition (VMD) and Wavelet Packet Transform (WPT) hybrid anti-jamming algorithm. VMD is used to decompose Intrinsic Mode Functions (IMFs) from the mixed signal. The dominant mode of the desired and interference signals can be distinguished using IMFs mutual information. Then, the remaining interference in dominant modes is eliminated using WPT. Finally, the desired signal can be recovered by the filtered and retained modes. In addition, the interference at the signal level can also be mitigated by higher-level methods. These methods can reduce the number of retransmission in the network [143]. Peters et al. [72] proposed a cross-layer method that combined the physical and data-link layers to alleviate the Doppler frequency offset. The method compensates for the frequency offset by adding frequency and phase synchronization markers to packets. It can estimate and correct the Doppler frequency shift in real-time on the satellite. Liu et al. [144] proposed a joint encryption and error correction scheme based on chaos and LDPC code. The scheme scrambles the plaintext according to the pseudo-random sequence generated by a hyperchaotic system. The scrambled message is encoded with LDPC encoder, which ensures the confidentiality and error correction capability of the message. This scheme also has high computational efficiency. The destruction at the data level often needs data backup to recover. In the scheme proposed by Mohammad et al. [145], the database in the space and multiple databases on the ground are securely connected through AES algorithm. When some ground databases fail to synchronize with the space database, the missing data can be supplemented by data exchange with other ground databases. This scheme can reduce the number of retransmission in the satellite-ground link. Furthermore, the data evacuation is also important when network infrastructures are damaged. Lourenço et al. [146] focused their work on the evacuation of the data affected by disaster. When the network topology is seriously damaged, the SDN controller will use the information such as device location, buffer capacity and satellite system transmission rate to establish a larger bandwidth evacuation link.
Unlike the traditional centralized database maintenance scheme, blockchain demonstrates the benefits of distributed storage. It has a tremendous advantage in protecting integrity. Blockchain comprises distributed data storage, peer-to-peer transmission, encryption algorithms and consensus mechanisms [147,148]. Essentially, it is a decentralized database. With the maturity of blockchain, some projects have begun to focus on the deployment of blockchain in satellite networks [149]. Clark et al. [150] designed a blockchain-based node reputation system for satellite relay networks. The scheme modifies the applicability of the standard consensus and consistency mechanisms to make them more suitable for the space scenario. Considering the unstable delay of the space link can lead to consensus failure, the consensus mechanism is realized by returning the confirmation of the reputation information. The node's response to the consensus mechanism is also a part of the reputation evaluation. Due to the time-varying nature of the network topology, the blockchain faces the problem of shared parent blocks [151]. The consensus principle of this scheme replaces the chain with a directed acyclic graph.

Link establishment
The link establishment in SIN is the basis of on-board switching and routing. In the past, satellite nodes were transparent repeaters in the space. They are used to implement the one-hop forwarding of satellite-ground communications. With the enhancement of on-board processing capability, multiple satellite nodes can establish interstellar links, changing from one-hop forwarding to on-satellite switching [15]. Satellites equipped with multi-beam antennas can meet the communication requirements of the large capacity and range. According to the corresponding relation with threats, this part will introduce recent countermeasures from resource allocation in physical links, optimization of logical link transmission mechanisms and integration of heterogeneous networks. The research summary is described in Table 13.
The resource allocation in physical links mainly consists of beam management strategies and MAC protocols which relate to channel capacity and transmission efficiency. The beam management strategy, which allocates signal resources to mobile nodes, is an important function for network access. When a mobile node is moving out of a beam coverage, the access point will prepare to establish a new physical link with the node. To find an appropriate beam switching scheme in SIN, Li et al. [152] compared the performance of beam hopping and multi-color frequency reuse with the assistance of the aerial network which can enhance network coverage. In the case of uneven user and traffic distribution, the channel capacity and the transmission performance of the proposed scheme are superior to that of multi-color frequency reuse. The channel resource is allocated by MAC protocols which can be divided into satellite-ground strategy and inter-satellite strategy. For the satellite-ground access, Liu et al. [153] designed a coherent Contention Resolution Diversity Slotted ALOHA (CRDSA) protocol for the massive Machine Type of Communication (mMTC) in satellite communications. This method performs a coherent accumu- lation operation on received frames. When a conflict-free replica misses, the sliding coherent accumulation operation will be applied to virtual subframes to counteract the overlap of conflict frames. This protocol effectively improves throughput under high load. For the inter-satellite access, Chen et al. [154] studied the MAC protocol for satellite formations. The inter-satellite token ring protocol is proposed to control the access sequence to ensure the flexibility of the network structure. Through this protocol, fifteen satellites in the experiment can complete the networking within ten seconds, but the end-to-end communication delay still needs to be reduced. In order to ensure the availability of logical links in SIN, some researches focus on improving the applicability of TCP-type protocols. Guan et al. [155] improved TCP Vegas protocol for the asymmetric bandwidth and proposed the Vegas Forward Direction Delay (Vegas_FDD) protocol. The protocol divides the congestion judgment into forward link and backward link, respectively. This method avoids the reduction of forward link transmission rate caused by backward link congestion. In addition, PEP mechanisms with TCP-type protocols are susceptible to confidentiality requirements. Besides partially encrypting the data packet [156] or assigning a secret key to the PEP [157], Pavur et al. [158] designed a new PEP structure. In this method, the packet encryption and decryption functions are handed over to the PEP client and server, which can prevent eavesdroppers and service providers from obtaining plaintext. At the same time, it avoids the problem of TCP meltdown in the mechanism of TCP-over-TCP [159]. Another part of the logical link research involves non-TCP type protocols. For the email service in the deep space, Lee et al. [160] proposed the DTN-SMTP protocol to ensure the reliability of end-to-end communication. This protocol uses BP and LTP to implement a one-way transmission of mail data and reduces the interaction between client and server.
In the integration of heterogeneous networks, data exchange between different protocol networks is an important research direction. Koo et al. [161] designed a tunneling mechanism under heterogeneous space networks. The gateway node finds the CFDP Protocol Data Unit (PDU) with a specific marker and converts it into the data format of the corresponding network. This protocol implements the PDU forwarding service between the DTN and non-DTN networks. Another key research direction focuses on optimizing the edge link between different function heterogeneous networks. This research aims to avoid boundary links becoming network bottlenecks. Considering the transmission optimization between Vehicular Ad-Hoc Network (VANET) and satellite network, Zong et al. [162] optimized the transmission mechanism. As the amount of data increases during the slow start, satellite network's high latency bandwidth product can be filled. And in the congestion avoidance period, lost data packets under different protocols are distinguished, and the type of the lost data is a reference to adjust the window size more accurately. Therefore, this framework can improve the transmission efficiency between VANET and satellite network.

Routing mechanism
The function of routing mechanism is to establish a reliable transmission path between the source and the destination. The routing path quality is affected by the physical topology and routing decision algorithm. The physical topology of SIN is the basis for routing decision algorithms. The redundancy and survivability of the physical topology ensure that the network can maintain basic connectivity when some nodes fail. Routing decision algorithm selects the best routing path and ensures timeliness and reliability for data delivery. The following part introduces the solutions from the following three aspects: constellation design, routing decision and routing paths monitoring. The summary is briefly described in Table 14.
The satellite constellation design is vital for routing decisions [163]. On the one hand, satellite networks should ensure ground coverage and improve QoS for mobile devices [164]. On the other hand, the connectivity and redundancy of satellite constellation should also be enhanced to ensure data forwarding in the space. In order to improve the survivability of the constellation, Jakob et al. [165] designed a multi-echelon inventory control strategy for spare satellites in the large-scale constellation. The strategy introduces the concept of the parking orbit to store the spare satellite, and its altitude is lower than the constellation orbit. The design of the parking orbit can save the rocket launch cost and reduce the time of satellite dispatch. In addition, the constellation model can also be optimized. For Ultra-dense LEO satellite networks, constellation design focuses more on minimizing the number of nodes in the initial model. Deng [166] et al. designed a three-dimensional constellation optimization algorithm. It takes the satellite-ground link's coverage and backhaul time as the optimization goal to minimize the number of satellites in the initial constellation. The non-essential satellites in the constellation can increase network capacity or enhance network function. Furthermore, in the complex orbital environment, the risk of collisions between satellites also increases with the expansion of the constellation scale. Fan et al. [167] proposed a formation trajectory reconstruction strategy based on the Bezier shape-based method. The strategy can complete the formation reconfiguration with high efficiency and less fuel consumption. With the exploration of deep space, Wan et al. [168] designed a solar system interplanetary relay network for communication between Mars and Earth. The scheme takes the shortest path and the minimum number of hops and nodes as the optimization goal and meets the end-to-end communication requirements. When establishing, updating and maintaining routing paths, the stability of the logical topology provides a reliable guarantee for transmission. In satellite networks, a reasonable routing decision algorithm can make the routing path have a longer life cycle and converge faster. In order to solve the intermittent interruption caused by inter-satellite link changes, Dai et al. [169] studied the prediction of logical topology and proposed a multi-attribute dynamic graph (MADG) scheme to find the optimal routing path. This scheme ensures that the selected path has a longer life cycle. In addition, due to the reverse flight of satellites in polar orbit constellations, a seam barrier will appear between two logical planes of the network. To solve this problem, Markovitz et al. [170] proposed the seam-aware location-based random walk routing algorithm which spliced two planes vertically and implemented the cross-plane transmission through northsouth links. This strategy resolves the split of network logical topology caused by seams.
The routing paths monitoring aims to identify malicious nodes or fake routing information. The malicious behavior detection can be divided into distributed and centralized methods. The characteristic of the distributed routing monitoring strategy needs each node collects the behavior information of nearby nodes and selects routing nodes according to behavioral characteristics. Ding et al. [171] designed a distributed monitoring strategy based on a trust mechanism for the micro-nano satellite network. Considering micro-nano satellite network's characteristics, the strategy divides the reputation value into the direct type generated by node behaviors, the indirect type scored by surrounding nodes, and the energy state. When selecting routing nodes, the trust value and the number of hops are considered comprehensively. The centralized routing monitoring strategy needs the server to collect and process the behavior information of all nodes in the network. Guo et al. [172] proposed a centralized routing monitoring strategy based on Trusted Resource Matrix (TRM) for the Integrated Space-Terrestrial Network (ISTN). In this strategy, the SDN controller monitors network nodes' states and compares the real-time traffic's characteristics. According to the traffic characteristics, the controller establishes TRM which can help nodes select a secure routing path.

Mobility management
The high-speed movement between nodes is a major feature of SIN. This feature gives SIN the ability to provide communication services globally, but it also increases instability. When the mobile node switches the access point, massive request data, inefficient handover strategy and inflexible forwarding strategy bring challenges to the location management and the handover management, which are two critical functions of mobility management [173]. This part introduces methods to enhance the flexibility and scalability of mobility management from the control node, mobile node and access point perspectives. The summary is briefly described in Table 15.
The location management is the primary functions of control center. It is responsible for global location synchronization and requests information processing. In face of constrained network resources, the location management of control center can be improved by enhancing mechanism's scalability and optimizing handover strategy. In order to improve the scalability of the mechanism, Ji et al. [174] designed a flexible and distributed mobility management architecture for integrated terrestrial-satellite networks. In this architecture, non-LEO satellites and ground stations together as a management center to achieve efficient mobile management. To solve the heterogeneous protocol problem, non-LEO satellites can be reconfigured in function level. Therefore, the scalability of network is greatly enhanced. To optimize the handover strategy, Dai et al. [175] proposed a flexible agent strategy, which migrates the function of the home agent to another agent closer to the mobile node. It reduces the delay of communication with the home agent. At the same time, to reduce the occupation of network resources, they designed an aggregated handover strategy which can help members of the group implement the pre-handover together.
For access points, their function related to location management are simpler than the control center. Access points mainly focus on the query and cache of the location information to assist message forwarding. Still, the resource-constrained access point needs to optimize the related function. Li et al. [102] proposed a multi-strategy flow table management method for the Software-Defined Satellite Network (SDSN). The method consists of Dynamic Classified Timeout (DCT) algorithm and Timeout Strategy-based Mobility Management (TSMM) algorithm. In the scenario of frequent handover, this method effectively controls the growth of the flow table, and it can be applied with small memory space.
Another function of mobility management is handover management. When switching an access point, the control center takes on less work than it does in location management. It generally provides the destination's location information to the forwarding node. In a centralized network, it can help routing nodes with path prediction. To reduce delay variation during handover, Yang et al. [176] proposed a dynamic routing strategy based on path-quality aided and lifetime-aware. It handles the link intermittently through cache-forwarding scheme and hop-by-hop acknowledgments. In addition, the control center can also assist the mobile node in selecting an access point. In order to find the best forwarding node in the small satellite network, Zhou et al. [177] formulated the stochastic data scheduling problem into an infinite-horizon discrete Markov Decision Process (MDP), and proposed a Joint Forward and Backward Induction (JFBI) framework to calculate the optimal forwarding decision and achieve more accurate use of network resources. For access points, the handover management is an essential function. Firstly, the mobile node will not have a network address until it finishes the handover, so the data cannot be forwarded to the node unaccomplished handover. The access node needs to solve intermittent link and service interruption caused by inefficient handover strategy. At the protocol level, the handover strategy needs to simplify the interaction operation and reduce the handover frequency. The scheme proposed by Zhang et al. [178] presents the handover as a weighted bipartite graph model consisting of mobile nodes and satellites. The connection weight between them is generated from channel quality, remaining time of service, number of users and power budget. According to this model, a multiobjective optimization problem is constructed to match the best access point and reduce the handover frequency. In addition, the handover management also involves beam switching at the physical level. These contents have been involved in "Link establishment". Second, the access point needs to ensure real-time transmission through flexible forwarding strategies. Deng et al. [179] proposed a data delivery scheme based on location prediction for named data networking. They considered the data forwarding between old and new access points. When the mobile node acts as a consumer, the old access point forwards the Pending Interest Table (PIT) to the new one through the predicted path. This strategy can reduces the RTT during the handover. When the mobile node acts as a producer, if the old access point receives previous interest packages, it will send an interest redirect to the new access point to reduce the transmission delay after updating the address.

Challenges and future work
With the exploration and development of the space, all countries are implementing their space programs. Since many projects are in the research and exploration stage, there is no recognized standard for the protocol and architecture of SIN. This situation makes detrimental to international cooperation and technological iterations. It is gratifying that the study of professional simulation platforms and AI can reduce the time-consuming and expenditure of projects. The simulation and standardization of new technologies are critical components in the development of SIN. However, there are still many problems in international cooperation and space resources utilization. The security of SIN remains a critical issue. From the perspective of three security attributes, this section summarizes some open and challenging work.

• Confidentiality
Confidential information-exchange. Confidential information-exchange can be divided into the high-layer method and the low-layer method. These two types of methods usually work independently in traditional networks. Therefore, when a new single-layer method is designed, the designer needs to spend more thought and effort to balance the security and the computational cost. For this reason, it is necessary to analyze the threat of complex networks from the perspective of system. For the same security requirements, a multiple-layer method can assign work to different layers. In this way, the workload is shared by each layer and the load of the network system is more balanced. However, there are still two issues worthy of attention: (1) How to quantify the requirement for confidentiality is a problem that the designer must face for assigning security work. Only by solving this problem can designers divide an abstract security requirement into specific tasks at each level. (2) At the same time, the effect of method in each layer also needs unified metrics. For example, both cryptography and physical security can guarantee the confidential exchange of information, but which one is more suitable for this system? To choose a suitable method, unified metrics are necessary.
Authentication and key agreement. AKA is the foundation of confidentiality and integrity. Without a secure enough AKA, confidential information-exchange can only rely on physical layer security. The scheme of AKA mainly protects the confidentiality of network systems through the method of cryptography. In the scheme designing, besides cryptography, another point of concern is the support for massive IoT device access. The communication cost and the fairness of the agreement both are challenges to network's QoS. In addition, the privacy problem will be more serious since the deep integration of SIN. Users' identities, tracks and other information will face the risk of being monitored and tracked. Although there are some relatively mature solutions in the ground network, these solutions cannot be directly applied to SIN. These are urgent problems to be solved. In deep space, another issue faced by AKA is high and unstable time delay among interplanetary nodes. However, because of the complexity, the current studies about interplanetary AKA are very few. Compared with the first two questions, this one is easier to be ignored. At present, these interplanetary nodes are mainly expensive scientific research equipment. They and their data Information identification. According to research introduced in information identification, current studies focus on the message level and the signal level. The challenge to protection methods at the message level is that most message authentication still depends on the cooperation of ground stations. This problem goes against the flexibility of SIN. There are also some methods that need to modify the format of the packet. It makes cross-platform deployment difficult and reduces system scalability. Furthermore, the identification at the signal level does not rely on complex cryptographic mechanisms and interactions among devices, but it requires a large number of physical characteristics and consumes a lot of computing resources. In this case, frequent communication will make devices work in a high load state for a long time. This problem reduces their life cycle. Information restoration. The challenge to information restoration will not only threaten the integrity, but also have a huge impact on the availability of the entire system. First, mutual interference between wireless signals is more severe because of the increase in the number of devices in SIN. Deployment of Ultra-Dense Constellations and IoT devices makes inter-satellite link and satellite-ground link become more crowded. This is a very direct challenge and the information restoration at the signal level will take on more onerous tasks. Second, the data center of SIN is mainly deployed on the ground. This scheme reduces the flexibility of SIN. However, the research about on-board data centers is too few. Although blockchain is a potential technology for distributed data storage, only a few existing works can be directly applied to SIN. Therefore, on-board data recovery remains challenging.

• Availability
Link establishment. Ensuring a stable link state is always a herculean task for SIN. Related challenges mainly come from imperfect protocols in physical, data-link and transport layers. First, physical and data-link layers are used to establish a physical link. However, there is a huge contradiction between increasingly tight channel resources and competition for communication opportunities. For satellite-ground link, whether the existing channel model and precoding technology can be applied to the future environment is unknown. Further, this contradiction makes physical links more congested. The collision of signals will cause a waste of energy. Therefore, a channel resource allocation protocol applicable to SIN is required. For inter-satellite links, studies related to MAC protocol are very few. The lack of appropriate inter-satellite MAC protocol will greatly reduce the transmission rate of SIN. Second, the transport layer's problems are mainly caused by the heterogeneity of network. Some ground network services only support TCP-type protocol. This leads to many SIN-specific transport protocols that cannot use these services and constrain the development of new protocols. Given all of that, in 5G and 6G scenarios, frequent data exchange, low power consumption and low-latency communication put more stringent requirements on SIN's availability. If these problems cannot be solved, the scale of SIN will be greatly limited.
Routing mechanism. In routing mechanism, there are many secure routing protocols for SIN. It seems that there is no great challenge. Unfortunately, limited extraterrestrial space brings new challenges to constellation design. Ultra-dense constellations will soon deplete orbital resources. The development of a new constellation will be as important as that of secure routing protocols. Because most secure routing protocols are designed for specific constellations, it is worth noting whether the existing routing protocols can be compatible with the new constellation. Moreover, Lagrange Points are an important communication relay node in the restricted three-body model. They play an irreplaceable role in the routing topology of deep space communication. But the number of them is so small that we have to find a new network topology that can meet the deep space communication requirements. Mobility management. For vehicles, mobility management is indispensable if they want to enjoy high-quality network service from SIN. To prevent system overload, there are a lot of studies that pay attention to handover management which is a critical function of mobility management. Most of them attempt to solve the efficiency and scalability problems. However, some dangers are hidden inside. When a handover occurs, vehicles' location change information can leak to third parties easily. With differential inference attacks, the adversary can recover the user's track and generate the user profile. Few studies focus on privacy disclosure in SIN, which is a serious security issue.

Future work
• Confidentiality On-board encryption and authentication. On the basis of meeting the security requirement of communication in SIN, designing more lightweight encryption algorithms and access authentication protocols has always been the critical research direction of confidentiality. Especially in the case of constrained computing resources, lower computational consumption can make the network obtain more capacity. In addition, in access authentication, enhancing the independent processing capability of satellite can reduce the dependence on the ground control center and the occupation of communication resources. Physical layer authentication. Unlike traditional authentication protocols, the physical layer authentication utilizes different characteristics of transmitted signals between devices to implement the identification [180]. In the case of heterogeneous upper-layer protocols, this physical layer authentication can be unrestricted by different protocols and efficiently distinguish between legitimate and illegal users. Moreover, it can complement traditional authentication methods to provide different levels of confidentiality guarantees for SIN.
Quantum key distribution. The Quantum Key Distribution (QKD) is designed based on the foundations of quantum mechanics. In the quantum channel, a quantum state usually cannot be accurately cloned. If the cloning happens, receiver will notice that [181]. Therefore, QKD prevents secret keys from leaking to third parties during transmission. In the space, the cost of establishing an optical communication link is low [182], and the research of satellite quantum networks has also received wide attention in establishing a worldwide quantum security network. Privacy protection. More and more functions of SIN are open to civilian users. While enjoying services, users are most concerned about the leakage of the sensitive privacy. Service providers should focus on the risk of the data leakage when providing a new service. However, many services are data-driven. Collecting and utilizing privacy data is necessary to improve service quality. Differential Privacy [183] can effectively alleviate privacy disclosure, and combine with federal learning [184] to make full use of users' data. In addition, different countries have different restrictions on the privacy management. Service providers should fully consider privacy-related laws in the different markets.

• Integrity
Blockchain in SIN. Blockchain has been successfully deployed and applied in terrestrial networks. It provides a new model for data storage. In SIN, blockchain can theoretically reliably guarantee the integrity of the on-orbit data, improve the self-healing ability of the stored data, and deal with single-point failure problem. However, considering the massive traffic [185] generated by node consensus, limited computing resources and unstable link conditions make it challenging to deploy blockchain into SIN. The applicability of the blockchain needs to be optimized in the follow-up research work. Cross-layer information identification. Information identification in SIN can effectively filter out the malicious information. However, most information identification methods are independently deployed at lower and higher layers. Therefore, there is a function overlap between lower and higher layers' methods, which consumes additional resources. If the low-level and high-level information identification functions are systematically integrated, the function assignment of the system can be made more explicit. The cross-layer method can filter out malicious information at the low and high layers of the network, respectively, and reduce the computing pressure of the entire system. Computing resources can also be allocated reasonably. Extraterrestrial data center. An extraterrestrial data center is an important part of interstellar exploration. It can store more data than satellites and rovers. And communication with extraterrestrial data centers is faster than that with terrestrial data centers, which reduces the long latency. It can improve the efficiency of data storage and recovery. In response to emergencies, it can also complete the data backup and transfer faster.

• Availability
Integrated security strategy and resource allocation. In a complex and intelligent system, availability always conflicts with confidentiality and integrity because of resource-constrained. Strict security requirements will consume a lot of system resources. In this case, the quality of network communication is bound to fluctuate. Therefore, a method of integrated security strategy and resource allocation is necessary to ensure the stable operation of the system. This scheme needs to consider and assign security tasks from the perspective of a system, which aims to minimize duplication of security mechanisms. Under the scheme, each layer will be assigned different security tasks. The intersection of their tasks will be minimized. In this case, their mutual cooperation will become closer. The whole system can run in a load balanced state. Mega constellation networking. With the increasing integration of SIN, the satellite network undertakes more communication tasks. Because LEO satellite network has characteristics of low latency in communication and small satellites reduce the launch cost [186], LEO satellites have become backbone nodes in most satellite communication schemes. Compared with early satellite networks, the number of nodes, the surface coverage and the connectivity in the mega constellation network have been dramatically improved. More flexible and effective communication and access schemes should be designed to fully utilize satellite networks' capacity.
Space situational awareness. In the complex orbit environment, the prediction of the space environment plays a vital role in ensuring the safety of on-orbit spacecraft. The space situational awareness system needs to monitor the environment and operation status of the spacecraft from multiple perspectives. To maintain the long-term safety of the space environment, clean-up and recovery technologies of space debris are also significant. These technologies involve much interdisciplinary research and require time and money for experimental verification.
Deep space communication. With the exploration of the space, man-made space probes aim to be farther from Earth. It will gradually become the backbone link of interstellar network communication. At present, establishing a reliable deep space communication link is necessary to ensure that the collected data can be stably sent back to Earth. Unlike Earth-orbiting satellites, high latency in deep space communications is unavoidable. The deep space communication pays more attention to the routing path's continuity and the delay's stability. The design of physical topology and communication protocol is an important research direction in the deep space communication.
Heterogeneous network integration. SIN is a convergence of various networks, and its goal is to build an integrated multi-purpose network. Due to the heterogeneity of function and protocol between different subnets, SIN is restricted by various factors. The compatibility of heterogeneous networks is a massive obstacle to convergence. Network architecture and protocols with high scalability and generality have always been the key research directions of communication networks. Intelligent reflecting surface. An Intelligent Reflecting Surface (IRS) is nearly a passive unit which can reflect a received signal and apply a desired phase shift [187,188]. It can assist a signal to bypass a line-of-sight blocker or append new channels. The channel environment between source and destination nodes can be greatly improved with the help of IRS. As a result, several works of IRS in wireless networks have been widely discussed. This technique is also interesting for SIN. Especially for satellite-to-ground links, because of the limited beam range of the satellite signal, the link needs to be reestablished after the ground node leaves the radiation. If IRS can be deployed for ground nodes, the duration of the satellite-ground link can be extended. Age of information. SIN is a typical multi-source heterogeneous network. In this system, Real-time data is critical to network quality. To measure the freshness of information, Age of Information (AoI) [189] is an important metric. AoI represents the time elapsed from the beginning of the generation to the destination reception of the information. It is a metric focused on the destination, as opposed to the traditional metric focused on package. Application scenarios that are sensitive to the timeliness of data, often require freshness of data. AoI is well suited as an optimization target to calculate the relation between packet generation time and transmission priority.

Conclusion
SIN is a vast and complex system. The threat analysis based on network security attributes can assist designers in understanding security requirements from a system perspective and accurately assigning security tasks to each layer. To make the analysis more general, this study selects three essential network security attributes, confidentiality, integrity and availability, as threatened objectives and builds a research framework. The relation between network security attributes and network architecture is established through secure communication mechanisms. Under the framework, Threats and countermeasures in SIN are discussed. Specifically, the confidentiality covers confidential information-exchange and AKA, the integrity introduces information identification and information restoration, and the availability discusses link establishment, routing mechanism and mobility management. The main works of each part are detailed analyses of mechanisms and principles of each threat and summaries of countermeasures to solve threats. Finally, this paper lists the challenges and future research directions in SIN to provide ideas for follow-up research work.