XAI-Based Framework for Protocol Anomaly Classification and Identification to 6G NTNs with Drones

Abstract

Although deep learning (DL) methods are effective for detecting protocol attacks involving drones in sixth-generation (6G) nonterrestrial networks (NTNs), classifying novel attacks and identifying anomalous sequences remain challenging. The internal capture processes and matching results of DL models are useful for addressing these issues. The key challenges involve obtaining this internal information from DL-based anomaly detection methods, using this internal information to establish new classifications for uncovered protocol attacks and tracing the input back to the anomalous protocol sequences. Therefore, in this paper, we propose an interpretable anomaly classification and identification method for 6G NTN protocols. We design an interpretable anomaly detection framework for 6G NTN protocols. In particular, we introduce explainable artificial intelligence (XAI) techniques to obtain internal information, including the matching results and capture process, and design a collaborative approach involving different detection methods to utilize this internal information. We also design a self-evolving classification method for the proposed interpretable framework to classify uncovered protocol attacks. The rule and baseline detection approaches are made transparent and work synergistically to extract and learn from the fingerprint features of the uncovered protocol attacks. Furthermore, we propose an online method to identify anomalous protocol sequences; this intrinsic interpretable identification approach is based on a two-layer deep neural network (DNN) model. The simulation results show that the proposed classification and identification methods can be effectively used to classify uncovered protocol attacks and identify anomalous protocol sequences, with the precision increasing by a maximum of 32.8% and at least 26%, respectively, compared with that of existing methods.

1. Introduction

Nonterrestrial networks (NTNs) for sixth-generation (6G) systems are becoming increasingly popular owing to their comprehensive coverage, mobility, and resilience to severe natural disasters [1]. With the rapid advancement of drones and cost-effective low-altitude platform aerial vehicle manufacturing methods [2], drone swarming has emerged as a promising solution to address various issues for 6G NTNs, enabling information flow through interconnections, cooperative control, and resource sharing among base stations (BSs) and core networks (CNs) [3,4,5,6].

Drone swarming techniques for 6G NTNs have been designed for both BSs and CNs in 3rd generation partnership project (3GPP) standards and ongoing research. Drone swarming techniques involving BSs in low-altitude airspace, as defined by 3GPP standards, can be used to forward signals, as shown in Figure 1a, or act as BSs cooperatively, as shown in Figure 1b, thereby achieving continuous ground coverage [7,8,9,10,11]. Drone swarming techniques involving CNs in low-altitude airspace are still being developed on the basis of 3GPP standards, with options for deploying some or all functions of CNs through drone swarming [11,12,13]. The CNs in 6G NTNs are based on service-based architectures (SBAs) and have multiple network functions (NFs), including the user plane function (UPF) and various control plane NFs, such as the access and mobile management function (AMF). Drone swarming techniques involving CNs can be used to deploy the UPF or AMF, as shown in Figure 1c, or all NFs, as illustrated in Figure 1d. In this type of deployment, low-altitude airspace and ground NFs cooperate to facilitate the transmission of spatial information to ground stations and support the long-range transfer of terminal information, significantly reducing ground transmission latency [14].

6G NTN with drones will serve as an essential communication infrastructure [15]. The scenarios for 6G NTNs encompass global seamless connectivity, IoT services, emergency communications, disaster recovery, and autonomous driving, which require the available communication service [15,16,17]. In 6G NTNs, protocols are crucial for defining communication rules among NFs, ensuring efficient and reliable data transmission. However, low-altitude airspace NFs are particularly vulnerable to malicious protocol traffic from terrestrial user equipment (UE) and NFs in areas with unprotected coverage. This malicious protocol traffic can, for example, infiltrate CNs in low-altitude airspace through drone swarming involving BSs, resulting in paralysis of the entire low-altitude airspace network [5,18]. To prevent malicious protocol traffic [19,20,21], it is essential to detect, classify, and identify protocol attacks. Specifically, detection involves monitoring the presence of protocol attacks in 6G NTNs. Classification involves matching the detected attacks with predefined attack categories, which aids in selecting appropriate prevention strategies. Identification involves determining the anomalous protocol sequences associated with the detected attacks and the targets that must be protected with prevention strategies.

Recently, deep learning (DL)-based anomaly detection methods have shown exceptional performance in capturing complex patterns in drone and terrestrial mobile communication networks [22,23,24,25,26]. These methods can be categorized into rule-based and baseline-based detection methods, known as rule detection and baseline et aldetection [24,25,26]. In rule detection methods, covered attacks are effectively detected by comparing the attacks with threat features extracted from historical data; however, these methods have difficulty detecting uncovered attacks and identifying anomalous protocol sequences. Baseline detection methods, which are trained on attack-free 6G NTN traffic data, can detect deviations from normal behavior and are thus useful for detecting uncovered attacks; however, these methods provide only Boolean results and cannot be used to classify or identify specific anomalous sequences. In recent research, these methods have been designed for unmanned aerial vehicles (UAVs) [23,24,25,26,27,28], the internet of unmanned aerial vehicles (IoUAVs) [29,30,31], 6G networks [30,32], internet of thing (IoT) networks [22], and other networks, improving the detection of both covered and uncovered attacks [20,21,22,23,24,25,26,27,28,29,30,31,32] and the classification of known attacks [20,21,22,23,24,25,30,31,32].

However, these combined methods still fail in classifying uncovered attacks without new classifications and identifying specific anomalous protocol sequences, focusing instead on Boolean detection and classification labels.

The internal information and processes of DL models could be utilized to address these limitations. DL models can capture fingerprint information during the detection process, which is useful in classifying uncovered attacks, but this information is often obscured by the black-box nature of these models and high-dimensional mappings. Similarly, anomalous data captured via baseline detection methods are represented by intermediate features, making tracing these data back to the original protocol sequences difficult.

In recent studies, explainable artificial intelligence (XAI) techniques have been used to elucidate the processes underlying DL models, facilitating the extraction and utilization of internal information and processes in DL-based detection methods. The aim of XAI-based anomaly detection research and other communication networks is to make the detection process more transparent, thereby providing more credible results and optimizing accuracy. However, a significant gap remains in applying these explanations for classification and identification, posing substantial challenges.

Lack of explainability and collaboration. The objectives of existing interpretable detection methods are to provide credible results and optimize accuracy; however, these methods do not output the internal information of the DL model necessary for classification and identification, hindering the utilization of this information in classifying uncovered attacks and identifying anomalous protocol sequences of 6G NTNs. An explainable detection framework is needed to support the extraction of internal process information during the baseline and rule detection processes for classification and identification. Furthermore, this framework should enable real-time collaboration during the baseline and rule detection processes to ensure that the internal process information can be fully utilized. The key challenges are determining what information from the baseline and rule detection processes should be provided and how this information should be collaboratively utilized by the baseline and rule detection methods to improve classification and identification performance.

Extracting and improving black-box models with internal information. While baseline detection methods primarily provide Boolean outputs, they also capture deviations from normal behavior; these deviations contain critical fingerprint features of uncovered attacks but are not explicitly output. In DL-based rule detection methods, new classifications are established by retraining the model on the basis of new data to extract these fingerprint features, but this process can introduce delays in both training and deployment. The key challenges are determining how to extract internal fingerprint features from black-box baseline detection methods and how to establish a new online rule detection classification of 6G NTNs using the external fingerprint features captured during the baseline detection process.

Capturing original anomalous protocol sequences in the internal irreversible mapping process. During the baseline detection process, deviations between attacks and the baseline process are extracted by DL models from protocol data containing anomalies. To trace these protocol attacks of 6G NTNs back to the original anomalous data points, the deviation capture process must be reversed. However, this process involves high-dimensional abstractions within the black-box DL model, which are not explicitly provided and are challenging to reverse. The protocol sequences must be transformed into images so that deep learning models can process them while ensuring this conversion retains sufficient information for the reverse conversion of the DL model, which needs to be explainable.

To address these challenges and enhance the security of 6G NTN protocols, the explanation requirements and applications of classification and identification methods must be explored. Therefore, in this paper, we propose an XAI-based interpretable anomaly classification and identification method for 6G NTN protocols. In the proposed method, the rule and baseline detection processes are elucidated through XAI techniques. These methods operate synergistically to classify uncovered protocol attacks and identify specific anomalous protocol sequences. The contributions of this paper can be summarized as follows:

• We introduce an interpretable and collaborative detection framework for 6G NTN protocols. This framework analyzes in detail the interpretability demands of baseline and rule detection methods and their collaboration. Result and process explanations for the baseline and rule detection processes are integrated, fostering collaboration between these methods and supporting the classification of attacks and identification of anomalies with robust explanatory and collaborative capabilities.
• We design a self-evolving classification method for uncovered protocol attacks within the proposed framework. The rule and baseline detection processes are clarified, enabling synergistic extraction and learning of attack fingerprint features to classify uncovered protocol attacks.
• We design an online identification method to detect anomalous protocol sequences within the proposed interpretable framework. In this method, protocol sequences are transformed into images for DL-based detection, ensuring the traceability of the original anomalous protocol sequences after identifying the anomalous image section. To identify the anomalous image section, a two-layer architecture consisting of a prediction model and a detection model is designed, where traditional deep neural network (DNN) convolutions are replaced with exclusive OR (XOR) operations. This enables efficient and synchronized identification and detection of anomalies. Thus, the capturing of original anomalous protocol sequences in the internal irreversible mapping process is achieved.

The remainder of this paper is organized as follows. In Section 2, the current research on DL- and XAI-based anomaly detection methods and other communication networks is summarized. In Section 3, the protocol threat models for 6G NTNs and representative attack cases are introduced. In Section 4, the interpretable anomaly detection framework for 6G NTN protocols is designed. With the proposed interpretable framework, a self-evolving classification method for uncovered protocol attacks and an online identification method for anomalous protocol sequences are designed in Section 5 and Section 6. In Section 7, the simulation results are discussed, demonstrating the effectiveness of the proposed classification and identification methods. Finally, the conclusions of the paper are presented in Section 8.

2. Related Work

Anomaly detection methods based on DL models have demonstrated outstanding performance because of their ability to capture complex patterns in network traffic [22]. The DL models used in anomaly detection include convolutional neural networks (CNNs), DNNs, Gaussian mixture models (GMMs), generative adversarial networks (GANs), recurrent neural networks (RNNs), long short-term memory (LSTM) networks, and deep autoencoders (AEs).

Among the anomaly detection methods, rule detection approaches train models using historical attack data to extract features that represent these past attacks, known as fingerprint features. Consequently, the historical attacks and their fingerprint features are covered within the rule detection approach [25]. Attacks are classified by comparing the analyzed data with the fingerprint features of the attacks covered in rule-based detection methods. Rule detection methods based on DL models have been widely studied, with a focus on protocol and application attacks in UAV networks [23,27,28] and IoUAVs [29,30,31]. Various DL models, such as CNNs [27], DNNs [29], and RNNs [31], have been used to extract static or temporal fingerprint features. Hybrid models that combine CNNs and LSTM networks have also been employed to capture data anomaly features [28,29], making them suitable for 6G protocol traffic, which is inherently a time series [32]. These methods have been validated with datasets such as CICDDoS2019 [23], INS [27], KDD-CUP99 [28], CICIDS [29], MDVD [30], and 5G-NIDD [31]. However, existing rule detection methods are ineffective for classifying uncovered protocol attacks in 6G NTNs, as prior knowledge of the attack is not available. In addition, existing methods cannot be used to identify anomalous data.

On the other hand, baseline detection methods can be used to monitor uncovered protocol attacks by detecting deviations from normal protocol classifications with DL models, which can be trained on the attack-free protocol traffic data of 6G NTNs. Baseline detection methods have been studied for various scenarios, including UAV networks [24,33,34] and IoUAVs [35]. DL models and techniques such as YOLOv8 [24], one-class support vector machines (OC-SVMs) [33], LSTM networks [34], and Bayesian-LSTM [35] have been employed to establish normal baseline behaviors. However, baseline detection methods, which output Boolean results indicating only the presence or absence of attacks, have difficulty classifying uncovered protocol attacks and identifying anomalous protocol sequences in 6G NTNs.

To combine detection and classification, rule and baseline detection methods have been sequentially integrated to monitor attacks in UAV networks, IoUAVs, and the IoT in recent research. For IoUAVs, an AE and a DNN model [36] have been combined. A toolset is used to define normal behaviors and cover attack conditions, whereas the DNN model is used to classify normal behaviors, cover attacks, and uncover attacks. For UAV networks [37] and IoT [38] attacks, data are first processed through rule detection methods using RNN–LSTM [37] or CNN–LSTM [38] to identify covered attacks. Data that do not match covered attacks are then analyzed via baseline detection methods using the synthetic minority oversampling technique (SMOTE) algorithm [37] or convolutional LSTM [38] to detect uncovered attacks. These hybrid approaches achieve over 90% accuracy on the CICIDS2017, NSL-KDD, and KDD Cup-99 datasets. However, existing rule and baseline detection methods are merely sequentially connected; thus, these approaches are limited to the capabilities of the two individual methods, including detecting uncovered and covered attacks and classifying covered protocol attacks. With respect to detection, classification, and identification requirements, these rule detection methods, baseline detection methods, and sequential methods fail in terms of two key aspects. First, these methods fail in classifying uncovered attacks without establishing new classifications. Second, these methods fail in identifying specific anomalous protocol sequences, focusing on outputting Boolean detection results and classification labels. The related work of baseline and rule detection methods is summarized in

Table 1. Related work of baseline and rule detection methods.

Reference		Scenarios	Models	Capabilities
				Detection	Classification	Identification
Rule detection	[20]	UAV	RNN	Covered	Covered	None
	[21]		CNN
	[22]
	[23]	IoUAV	DNN
	[24]		CNN
	[25]	6G	RNN
Baseline detection	[26]	UAV	YOLOv8	Covered and uncovered	None	None
	[27]		OC-SVM
	[28]		LSTM
	[29]	IoUAV	B-LSTM
Rule and baseline	[30]	IoUAV	AE and DNN	Covered and uncovered	Covered	None
	[31]	UAV	RNN-LSTM
	[32]	IoT	CNN-LSTM

.

Several methods have been developed to classify uncovered attacks by establishing new categories through retraining using meta-learning [39] or adding detection conditions inefficiently using tree models [40,41,42]. In meta-learning-based anomaly detection methods, models for multiple tasks are iteratively trained to extract attack features continuously, enabling the adaptive classification of uncovered attacks [39]. However, this iterative training process introduces detection delays because of the time consumed during training, which is unacceptable for 6G NTN services owing to their high communication availability requirements [40,41,42]. To address this issue, a real-time detection method based on the Hoeffding tree (HT) algorithm has been designed [43]. In this method, a new online branch is added to classify uncovered attacks when the cumulative deviations or other dynamic thresholds are met. This method can establish a new online protocol for attack classification in a 6G NTN. However, simply adding new branches for different detection conditions can degrade the detection performance because of the failure to leverage the precise fingerprint information of uncovered attacks. In fact, the DL model can capture fingerprint information during the baseline and rule detection processes, but this information remains incomprehensible and inaccessible because of the model’s black-box nature and high-dimensional mapping.

To identify the anomalies of the detected attacks, existing methods have been applied to localize anomalous NFs or communication processes in 5G core networks (5GCs) on the basis of logs [44]. However, these methods cannot provide the original protocol data at a finer granularity. To solve this problem, the protocol data interaction process between NFs is modeled as a graph to identify paths by which NFs interact with the corresponding anomalous protocol process [45]. However, anomalous protocol sequences or fields cannot be provided. In fact, these anomalous sequences or fields have already been captured and mapped to a high-dimensional space during the internal matching process by the DL-based baseline detection method. However, the captured anomalous protocol data are usually represented by intermediate information, such as instantaneous envelopes and statistical features, rather than the original protocol sequence, and the high-dimensional mapping process is irreversible.

To develop more understandable artificial intelligence (AI) models while maintaining high prediction accuracy, XAI technology represents a promising approach for obtaining internal fingerprint information and tracing it back to the original anomalous 6G NTN protocol sequences. Several popular XAI frameworks have been proposed to analyze the activities of DL models [46]. In the local interpretable model-agnostic explanations (LIME) approach, which was introduced in 2016, the local behaviors of AI models are explained through easily understandable proxy models, and the quantitative contributions of different inputs to the outputs are provided. A similar local rule-based explanations (LORE) approach was introduced in 2018. To improve the precision of the LIME approach, the high-precision model-agnostic explanations (Anchors) method was proposed in 2018. To further enhance the theoretical foundation of this approach, the Shapley additive explanations (SHAP) framework was designed in 2017, and an additive explanation model was used to determine the contributions of the inputs to the outputs. With respect to CNN models, class activation mapping (CAM) and gradient-weighted class activation mapping (Grad-CAM) were introduced in 2016 and 2019, respectively. In these methods, information from the last convolutional layer and gradients are utilized to highlight critical image areas using heatmaps, which can analyze 6G signal data or detect anomalous regions in drone images. These XAI frameworks offer explanations through proxy models, which map rules from inputs to outputs and quantify the contributions of inputs to outputs, as these proxy models and rules derived from DL models can provide consistent predictions and judgments, which is essential for protocol anomaly detection of the 6G NTN. These explanation capacities are useful in DL-based anomaly detection.

To improve the transparency and trustworthiness of DL-based anomaly detection methods, research on XAI frameworks and heuristic methods applied in anomaly detection has been performed, which can help classify uncovered protocol attacks; however, these frameworks have difficulty identifying anomalous protocol sequences.

The detection results can be explained by XAI methods to quantify the contributions of the inputs to the detection results. The LIME and SHAP frameworks have been deployed to analyze DNN-based [47] and LSTM network-based [48] anomaly detection models. The anomaly detection results of CNN-based models can be explained by the Grad-CAM framework [49]. In addition to XAI frameworks, heuristic adversarial-based [50] explanation methods have been developed to explain DNN-based anomaly detection results. These explanation methods were designed by combining approximate historical inputs, weighted random sampling, feature groups, and sparse group lasso methods to interpret the results of four DL–NIDS models, including the Kitsune, ODDS, RNN–IDS, and AE–IDS models [51]. These studies have provided the quantitative contributions of the inputs to the outputs, reflecting the degree of deviation. However, the use of quantitative contributions to extract the fingerprint features of uncovered protocol attacks and classify these attacks remains challenging.

Explanations of the detection results are used to enhance the detection scheme of anomaly detection methods. With the quantified contributions of the inputs to the detection results, the fingerprint features are obtained for use in the detection scheme. Random forest-based anomaly detection results can be interpreted via SHAP frameworks, which provide fingerprint features of intrusion traffic [52], and SVM-based anomaly detection results can be interpreted by the LIME framework, which provides fingerprint features of normal traffic patterns [53]. The fingerprint features representing the contributions of the inputs to the detection results are thus obtained. With these explanations, feature-matching detection strategies are designed and applied in conjunction with DL models to reduce the anomaly detection time, where merely the features affected by the anomalies are processed to reduce the volume of processed data [52,53]. However, using fingerprint features to classify uncovered protocol attacks remains challenging.

Explanation of the detection model for optimization. BD–GNNExplainer can be used to interpret GNN-based anomaly detection results to evaluate the detection performance and interpretability of models with different layers and configurations. On the basis of these interpretation results, the optimal structures and configurations of the GNN model can be determined [54]. XGBoost-based anomaly detection results can be interpreted by the SHAP framework to identify the typical features associated with different intrusion types. The explanation results can be used to guide the design of AEs for anomaly detection [55]. In these studies, the detection models have been elucidated, emphasizing the model architecture design and parameter selection process. The aim of interpretable classification is to increase the capability of the model rather than increase the accuracy within the existing detection range.

3. Threat Model

In 6G NTNs, protocol threats are particularly significant in low-altitude airspace; these threats often originate from malicious traffic generated by UE and man-in-the-middle (MitM) devices in remote and distributed ground areas with inadequate protection. This malicious traffic can penetrate the drone swarming CN through the distributed drones of BSs, potentially leading to paralysis of the entire low-altitude airspace network, as illustrated in Figure 2. The drones in 6G NTNs are still under discussion, protocols for both NTN terminals and the network side have been developed based on the core protocol standards established by 3GPP 5G [56,57]. Significant optimizations have been implemented in satellite and terminal-side protocols to facilitate seamless NTN smartphone connectivity. These improvements specifically address critical aspects such as time-frequency synchronization, precise timing relationships, efficient hybrid automatic repeat request (HARQ) configurations, and advanced mobility management strategies, as shown in

Table 2. The relationship between NTN protocol and 5G protocol.

Functions	3GPP NTN Protocol
Beam management	Beam position planning, beam scheduling defined in 3GPP TR 38.821 [58]
Time-frequency synchronization	Time offset and frequency offset compensation defined in 3GPP TS 38.211 [59] and TS 38.331 [60]
Timing relationships	Adaptation of NTN uplink and downlink scheduling timing defined in TS 38.331 [60] and 3GPP TS 38.213 [61]
HARQ configurations	HARQ extension and prohibition defined in 3GPP TS 38.331 [60], TS 38.212 [62] and TS 38.321 [63]
Mobility management strategies	Handover based on location and time defined in 3GPP in 3GPP TS 38.331 [60]
Downlink broadcasting	Broadcast message delivery for NTN information defined in 3GPP TS 38.331 [60]
Others	Inheriting 3GPP 5G protocol

.

Thus, this paper presents case studies of UPF denial of service (DoS) and protocol tampering threats in 5G networks, as well as the corresponding protocol data collection process.

3.1. UPF DoS

The UPF is responsible primarily for transmitting user data, and if it is overloaded, service disruptions occur [64]. Specifically, the UPF drone is particularly vulnerable to serious threats from malicious ground traffic at the intersection between low-altitude airspace and ground segments, as shown in Figure 3.

Here, we assume that attackers deliver malicious UE to unprotected remote areas covered by the 6G NTNs. The malicious UE can generate a large volume of protocol traffic, which is transmitted wirelessly to the low-altitude airspace of BSs and then to the UPF via the N3 interface connected to the low-altitude airspace of BSs. This surge in protocol traffic can overwhelm the UPF, leading to a DoS attack. The steps involved in the UPF DoS attack are as follows:

• The attacker UE is launched, with each piece of UE connected to the target 6G NTN.
• The malicious tool installed in the attacker UE generates a substantial volume of messages following the protocols of transmission control protocols (TCPs), user datagram protocols (UDPs), and internet control message protocols (ICMPs) within a short time. These requests are specifically configured with a high sending rate and large payload size.
• The UPF receives an overwhelming number of TCP, UDP, and ICMP requests from the attacker terminals.

After these steps are completed in the UPF DoS case, a significant burden is imposed on the computing resources of UPFs, rendering them incapable of effectively handling legitimate UE services. The malicious traffic in the second step can be generated using tools such as Bonesi (https://github.com/Markus-Go/bonesi.git, accessed on 2 December 2018) and Hulk (https://github.com/grafov/hulk.git, accessed on 17 May 2012). In this article, the tool of Bonesi is used to generate misconfigured traffic.

3.2. Protocol Tampering

The attacks and the corresponding anomalous protocol sequences create vulnerabilities in the initial registration procedure of 6G NTNs, allowing for hijacking, forging, and replaying of control protocol signals via MitM attacks [65,66] or BS intrusions [5] owing to the aerial transmission of wireless signals. By utilizing these vulnerabilities, two threat cases for 5G protocols, i.e., UE capability hijacking and sequence number desynchronization, are discussed, as shown in Figure 4 and Figure 5.

3.2.1. Hijacking UE Capability

In protocol tampering attacks, hijacking UE capability involves intercepting and altering the capability information of the UE transmitted in plaintext format. This information, defined by the integration of hardware, software, and applications in a terminal device according to 3GPP standards, includes the supported frequency bands, data transmission rates, and carrier aggregation technologies. The plaintext transmission method makes the UE capability data vulnerable to interception and modification by MitM relay attacks. The hijack UE capability attack [65,66] proceeds through the following four stages, as shown in Figure 4:

• To initiate the attack, the MitM relay uses a different tracking area code (TAC) from the device’s registration area, which prompts a tracking area update (TAU) procedure. The relay then rejects this with a TAU request message, erasing the current security context and temporary identities, and a new registration is triggered via an attach request to the MitM relay.
• By forwarding the messages, the nonaccess stratum (NAS) security setup for the UE can be completed. As this involves the creation of a new registration, the AMF prompts the next generation node B (gNB) to obtain the capabilities of the UE.
• Before the UE capability information is sent from the UE to the gNB, the MitM relay changes the S1 mode from supported to unsupported. The modified message is then sent to the network, allowing the RRC security and registration processes for the UE to be completed.
• The UE is released to the network with an RRC release message. The modified capabilities are forwarded by the gNB to the AMF, eliminating the need to repeat the capability transaction.

After the attack, the piece of UE is recognized as a device without supporting the S1 mode when it next connects to the gNB, resulting in reduced service quality. The S1 mode enables it to be served by non-standalone networks, whereas the N1 mode allows the UE to be served in standalone networks. To transition into a non-standalone network region, the network checks the UE’s previously stored capabilities to ascertain whether it supports the S1 mode. However, if the UE’s S1 mode support status is maliciously changed from “supported” to “unsupported”, the UE will encounter a service interruption when entering the non-standalone network service area.

3.2.2. Sequence Number Desynchronization

As with the other attack cases involving protocol tampering, sequence number desynchronization [67] involves exploiting vulnerabilities in the synchronization mechanism between the UE and 6G NTNs. To prevent replay during the registration procedure, the UE and 6G networks are synchronized by storing NAS counters for sending and receiving at the UE and AMF ends. An NAS counter is a 24-bit unsigned integer composed of a 16-bit overflow counter (oc) concatenated with an 8-bit sequence number (seq). The stored sequence numbers are denoted ${\mathrm{seq}}_{\mathrm{ul}}^{\mathrm{UE}}$, ${\mathrm{seq}}_{\mathrm{dl}}^{\mathrm{UE}}$, ${\mathrm{seq}}_{\mathrm{ul}}^{\mathrm{AMF}}$, and ${\mathrm{seq}}_{\mathrm{dl}}^{\mathrm{AMF}}$, indicating the numbers of uplink (ul) and downlink (dl) protocol messages at the ends of the UE and AMF. ${\mathrm{seq}}_{\mathrm{ul}}^{\mathrm{UE}}$ and ${\mathrm{seq}}_{\mathrm{dl}}^{\mathrm{AMF}}$ are local parameters obtained by counting the messages sent by the UE and AMF, respectively, and ${\mathrm{seq}}_{\mathrm{dl}}^{\mathrm{UE}}$ and ${\mathrm{seq}}_{\mathrm{ul}}^{\mathrm{AMF}}$ are the network parameters obtained via the received message at the UE and AMF ends, respectively. There is a vulnerability in refreshing ${\mathrm{seq}}_{\mathrm{dl}}^{\mathrm{UE}}$ and ${\mathrm{seq}}_{\mathrm{ul}}^{\mathrm{AMF}}$ with the received ${\mathrm{seq}}_{\mathrm{dl}}^{\mathrm{AMF}}$ and ${\mathrm{seq}}_{\mathrm{ul}}^{\mathrm{UE}}$ when the sequence number of the newly received message (for example, ${\mathrm{seq}}_{\mathrm{dl}}^{\mathrm{AMF}}$) is less than the sequence number of the last message that was accepted (${\mathrm{seq}}_{\mathrm{dl}}^{\mathrm{UE}}$). Thus, a MitM relay attack may involve capturing and replaying the Sec_Mode_Command and Sec_Mode_Complete messages with the uplink and downlink sequence numbers being 0, as shown in Figure 5. Sequence number desynchronization attacks are performed according to the following four stages, as shown in Figure 5:

• The adversary forces the victim UE to establish a connection with the MitM relay, and the MitM relay transmits unauthenticated initial broadcast messages at a higher signal strength.
• The MitM relay intercepts both the Sec_Mode_Command and Sec_Mode_Complete messages during the initial registration process.
• The adversary waits to capture and discard the subsequent Sec_Mode_Command and Sec_Mode_Complete messages during the RRC layer key refreshing process and then relays the intercepted Sec_Mode_Command and Sec_Mode_Complete messages and sets them to 0 to pass the integrity verification.
• The locally maintained ${\mathrm{seq}}_{\mathrm{dl}}^{\mathrm{UE}}$ and ${\mathrm{seq}}_{\mathrm{ul}}^{\mathrm{AMF}}$ are updated to 0 at the AMF, and the UE ends on the basis of the received ${\mathrm{seq}}_{\mathrm{dl}}^{\mathrm{AMF}}$ and ${\mathrm{seq}}_{\mathrm{ul}}^{\mathrm{UE}}$. Notably, with this attack, the adversary cannot reset the ${\mathrm{seq}}_{\mathrm{dl}}^{\mathrm{UE}}$ and ${\mathrm{seq}}_{\mathrm{ul}}^{\mathrm{AMF}}$ that are locally maintained by the UE and AMF, respectively.

With this attack, the adversary can reset ${\mathrm{seq}}_{\mathrm{ul}}^{\mathrm{AMF}}$ and ${\mathrm{seq}}_{\mathrm{dl}}^{\mathrm{UE}}$, which the AMF and UE maintain remotely. This attack disrupts the connection between the UE and the network, leading to repeated reconnections that can block services and drain the battery. It also risks incurring excessive charges through continuously resending identical data packets.

3.3. Classification and Identification Demands

DoS attacks of 6G NTN protocols, such as UPF DoS attacks, cause network service disruptions by disabling NFs. Thus, the key to defending against DoS attacks of 6G NTN protocols is to classify the attacks and identify the failed NFs. When a DoS attack is classified, the protocol traffic received by the identified failed NFs needs to be intercepted. It is easy to identify the failed NFs; for example, a failed UPF can be easily identified through logs in UPF DoS attacks. However, the lack of 6G NTN protocol attack data makes classifying UPF DoS attacks challenging. Thus, we design self-evolving classification methods to cover unclassified protocol attacks.

Attacks such as hijacking UE capabilities and sequence number desynchronization, which involve tampering with protocol sequences or fields, are more covert in 6G NTN environments than in other networks. Degraded NFs, such as those of UE, may not correspond to the entities actually sending or receiving the attack protocol message. Consequently, the protection target differs from the failed NF. The critical defense strategy is to identify anomalous protocol sequences, analyze their transmission paths, and intercept and monitor the corresponding NF and protocol messages. Here, we design online methods for identifying anomalous protocol sequences.

4. Interpretable Anomaly Detection Framework for 6G NTN Protocols

To classify uncovered protocol attacks and identify anomalous protocol sequences online, transparent and synergistic approaches must be applied. Here, we present an XAI-based interpretable anomaly detection framework for 6G NTN protocols. To achieve this, we first analyze the explainability and collaboration requirements of the framework. We then assess the existing capacity of XAI-based anomaly detection methods, determining what knowledge gaps remain to be addressed. Finally, a coordinated and explanatory approach for classifying uncovered attacks and identifying anomalous protocol sequences is designed.

4.1. Explanation and Collaboration Demands

DL-based anomaly detection methods process protocol data and output detection results. The explanatory and collaboration demands of DL-based anomaly detection are analyzed considering both the detection process and the detection outputs of rule detection and baseline detection, with a focus on classifying uncovered protocol attacks and identifying anomalous protocol sequences.

To classify uncovered protocol attacks, we need to develop a self-evolving rule detection method based on the fingerprint features of uncovered attacks. Despite the lack of fingerprint features for uncovered attacks, these fingerprint features can be reflected by the deviations captured during the baseline detection process and used as the basis for analyzing the detection results. Therefore, the baseline detection results must be explained to output the deviation information, which can be used to extract the fingerprint features of uncovered attacks. To establish a new rule classification method using external fingerprint features in an online environment, we need to make the rule detection process interpretable, focusing on how fingerprint features influence the detection process and results. With this approach, the system can self-evolve, and the focus of the feature can be adapted according to the external fingerprint feature information.

The collaboration between rule and base detection methods is also analyzed. The detection results for uncovered attacks from rule detection can trigger baseline detection. Baseline detection can abstract and output the weights of fingerprint features to rule detection. Rule detection must be designed to support explanations and adjust the weights of fingerprint features accordingly.

To identify anomalous protocol sequences online, tracing anomalous protocol sequences on the basis of the detection and/or classification results is essential. An explanation of the detection process focusing on the high-dimensional matching process offers little assistance for this task. The baseline detection results can be used to determine the quantitative contributions of the fingerprint features, as the features with larger contributions may reflect the anomalous protocol sequences caused by attacks. However, extracting these features using irreversible statistical methods or high-dimensional mapping approaches makes it difficult to obtain the original anomalous protocol sequences. To address this challenge, we must integrate XAI capabilities into baseline detection methods. This integration enables the tracking of protocol data and the original information throughout the entire mapping process, allowing us to output the detection results alongside the corresponding anomalous protocol sequences.

4.2. Interpretable Framework

To design an interpretable framework and thereby obtain explainable detection results, an explainable detection process, and interpretable baseline detection results, an XAI approach was introduced to the current detection framework, as shown in Figure 6. The explainable detection results can be obtained via the current XAI method, whereas an explainable detection process and interpretable baseline detection method still need to be designed. With these explainable capacities, self-evolving classification and online identification of anomalous protocol sequences can be achieved.

In the self-evolving classification process, an XAI method is used to explain the rule detection process and baseline detection results. The focus of the explanation of the detection results is the deviations of the attacks from the normal baseline, and these deviations are used to extract fingerprint features. The rule detection’s DL model trains feature weights, assigning larger weights to fingerprint features of the covered attacks, a process referred to as the attention mechanism; features with larger weights receive more attention. To classify the uncovered protocol attacks, their fingerprints must also receive more attention. Thus, an explanation of the attention mechanism is required to support the adjustment of the weights in the self-evolving classification of uncovered protocol attacks. By combining the baseline and rule detection methods with explanations of the detection results and process, a self-evolving classification method for uncovered attacks can be developed.

In the online identification of anomalous protocol sequences, an XAI method is used to provide inherently interpretable baseline detection results, which can be used to track protocol data and the original information throughout the entire mapping process. Furthermore, the detection results and the corresponding anomalous protocol data can be obtained simultaneously, thereby enabling effective anomaly identification.

The designs of the self-evolving classification method for uncovered protocol attacks and the online identification method for anomalous protocol sequences used in the explainable framework are discussed in the following sections.

5. Self-Evolving Classification Method

To create a self-evolving classification method for uncovered 6G NTN protocol attacks, the rule and baseline detection processes are elucidated using XAI technologies. Furthermore, these methods operate synergistically to extract and learn from the fingerprint features of uncovered protocol attacks. Fingerprint features, which represent the normal behavior of protocol attacks, which have distinct trends, are represented by feature parameters extracted from protocol traffic. To extract the fingerprint features of uncovered attacks, transparent baseline detection results are obtained using XAI technologies. This transparency allows the deviations of uncovered attacks from the normal baseline behavior to be identified and their fingerprint features to be extracted. To learn from these fingerprint features, a transparent rule detection process is also obtained using XAI technologies. With this transparency, understandable and adjustable attention can be directed to specific features during the rule detection process. A collaborative approach involving the baseline and rule detection methods is then designed. In particular, the fingerprint features obtained from the baseline detection process are shared with the rule detection method, enabling the latter to increase the classification accuracy on the basis of this external information.

The self-evolving classification method is designed considering a baseline detection method with explainable detection results. In particular, the fingerprint features of uncovered attacks are extracted by explaining the quantitative contributions of the protocol features to the detection results. Furthermore, rule detection with an explainable detection process is implemented; in this process, the attention to the features is explainable and can be adjusted during the detection process, as shown in Figure 7.

5.1. Baseline Detection with Explainable Results

The baseline detection method is made transparent on the basis of the explainable results. This method includes the baseline detection model, which matches the detected protocol features with the normal baseline, and an XAI mechanism applied to the detection results, which captures the deviation between the protocol traffic and the baseline, as shown in Figure 7. The baseline detection model is designed on the basis of an AE DL model to form the baseline of normal protocol behavior. With this approach, attacks can be efficiently detected, including uncovered protocol attacks. The SHAP-based XAI mechanism is applied to the detection results to make the baseline detection model transparent; this model provides the quantitative contributions of the protocol features to the detection results. The features with significant contributions are considered fingerprint features. The fingerprint features will be sent to the rule detection process, where attention is adjusted based on their quantitative contributions.

To obtain the quantitative contributions, the anomalous protocol feature flows detected by the baseline detection model are first consolidated; these flows are referred to as attack flows. The quantitative contributions of each attack flow are obtained, normalized, and fed back into the rule detection model. First, the SHAP model interprets local anomalous protocol data that deviate from the baseline. Then, the quantitative contributions of the features for each attack flow are calculated with the SHAP model. For attack flow k, the quantitative contribution of the nth feature $x_{k,n}$ is represented by ${\lambda }_{k,n}$, which is given by its Shapley value as follows:

$${\lambda }_{k,n}=\sum _{S\subseteq X_k\setminus x_{k,n}}{\displaystyle \frac{\left|S\right|!\left(\right|X_k|-|S|-1)!}{|X_k|!}}\left[f(S\cup x_{k,n})-f\left(S\right)\right],$$

(1)

where S is the set of all the features except the nth feature. $|·|$ indicates the number of elements. The function f represents the prediction probability. Equation (1) provides the marginal contribution, which is the variation in the prediction value of the baseline model when the nth feature is input. With Equation (1), the quantitative contributions of each feature can be normalized among the attack flows. The contribution of feature n is calculated as

$${\lambda }_n=\mathcal{E}\left({\lambda }_{n,k},k=1,\dots ,K\right),$$

(2)

where $\mathcal{E}(·)$ is the expectation function, and ${\lambda }_n\le 1$. The contribution values reflect the fingerprint features of the uncovered attacks. Larger positive values indicate that the features significantly deviate from the normal baseline values, whereas larger negative values indicate that the features closely match the normal baseline values. The explanation results of the baseline need to be expressed as feature weights properly to support the adjustment of the rule detection’s focus. Thus, the weight of feature n is denoted $w_{0,n}$ and is calculated as

$$w_{0,n}=\left\{\begin{array}{ccc}\hfill {\displaystyle \frac{1}{{\lambda }_n}},& \hfill & \hfill {\lambda }_n>0,\\ \hfill -{\lambda }_n,& \hfill & \hfill {\lambda }_n\le 0.\end{array}\right.$$

(3)

Define the weight set $w_0$. Let $w_0=\left\{w_{0,n}\right\}$ with $w_0\in {\mathcal{R}}^N$.

With Equation (3), it can be seen that the weights are calculated by the contributions. The negative contributions of the features indicate no anomalous trends of those features. Including these contributions will decrease the probability of the classification, where the probability of being the classification is calculated by adding the contributions of the features. For the features indicating no anomalous trends, their contributions are negative. Including these contributions will decrease the probability of the classification. Therefore, the attention of the positive contribution features can be enhanced, and the attention of negative contribution features will be decreased in rule detection.

5.2. Rule Detection with an Explainable Process

In this section, the rule detection process is made transparent, allowing the focused features and their weights to be adaptively adjusted to classify the uncovered protocol attacks in 6G NTNs.

The DL model for rule detection trains feature weights, assigning larger weights to fingerprint features of the covered attacks, a process referred to as the attention mechanism; features with larger weights receive more attention. To classify the uncovered protocol attacks, their fingerprints must also receive more attention. Thus, an explanation of the attention mechanism is required to support the adjustment of the weights. To make the attention mechanism understandable and thus adjustable, i.e., input the feature weights of the uncovered features, the self-attention model is introduced, which is applied before the deep learning models in rule detection.

This method is designed to consist of an XAI mechanism in the detection process, which involves adjusting the rule detection feature patterns, and a rule detection model, which involves matching the detected protocol features with the feature patterns of the covered attacks, as illustrated in Figure 7. During training, a wide range of fingerprint features of covered attacks can be obtained from extensive open-source datasets and used to predefine the rule detection patterns. In the rule detection model, a one-dimensional CNN and a bidirectional LSTM (BiLSTM) network are integrated; this approach enables efficient matching of the protocol features with the covered attack patterns.

The XAI mechanism used in the detection process is placed before the rule detection model, which is the key to establishing a new classification. The XAI mechanism used in the detection process is designed with a modified attention method, in which an additional weight adjustment is performed on the basis of the feedback results from the baseline detection process. Assume that the protocol features that need to be detected are represented by X, where $x_{m,n}\in X$ represents the mth protocol flow and nth feature. The attention layer parameters, i.e., the value vector, query vector, and key vector, are represented by V, Q, and K and given by

$$\begin{array}{c}\hfill V=X{\eta }_V,Q=X{\eta }_Q,K=X{\eta }_K,\end{array}$$

(4)

where ${\eta }_V,{\eta }_Q,{\eta }_K$ are the weight matrices obtained by the backpropagation algorithm and ${\eta }_V\in {\mathbb{R}}^{N\times D_V}$, ${\eta }_Q\in {\mathcal{R}}^{N\times D_Q}$, ${\eta }_K\in {\mathcal{R}}^{N\times D_Q}$. By setting $D_V=D_Q=D_K=N$, $V,Q,K\in {\mathcal{R}}^{M\times N}$.

Then, on the basis of the input protocol features X, a modified attention layer is designed to output the adjusted protocol features represented by Z, as follows:

$$Z=w_{x}V\odot w_s,$$

(5)

where $w_{x}V$ represents the output of the original attention layer and where $w_{x}V$ represents the enhancement in the time series characteristics of X. $w_s$ is the introduced weight for adjustment, which adjusts the focus of the protocol features on the basis of the feedback, namely, the quantitative contributions of the features.

To obtain Z, $w_x$ is calculated on the basis of Q and K, as follows:

$$\begin{array}{c}\hfill w_x=\mathrm{softmax}\left({\displaystyle \frac{Q{K}^T}{\sqrt{N}}}\right),\end{array}$$

(6)

where $w_x\in {\mathcal{R}}^{M\times M}$ and $Q{K}^T$ is normalized by $\sqrt{N}$ to avoid the extreme output of the Softmax function. $w_s$ is calculated via Equation (6), which is expressed as

$$\begin{array}{c}\hfill w_s={\displaystyle \frac{1}{|w_0|}}\{w_0;w_0;\cdots ;w_0\},\end{array}$$

(7)

where $w_s$ contains M $w_0$ values; thus, $w_s\in {\mathcal{R}}^{M\times N}$. On the basis of Equations (5)–(7), the output of the attention mechanism Z can be calculated, where $Z=\{z_{m,n},m=1,\dots ,M, n=1,\dots ,N\}$ and $Z\in {\mathcal{R}}^{M\times N}$. With $w_s$, the focus on the features and their weights can be adjusted on the basis of the fingerprint features of the uncovered protocol attacks. The process of the self-evolving classification method is given in Algorithm 1. It can be seen that the baseline and rule detection models are trained first. Then, the detection begins with the rule detection. The uncovered attack detection results from rule detection can trigger the baseline detection. The baseline detection can detect, abstract, and output the weights of the fingerprint features to the rule detection. Finally, the rule detection can adjust these weights of fingerprint features to classify uncovered protocol attacks. In the proposed self-evolving classification method, no more than one iteration occurs. When there are no uncovered protocol attacks, no interaction takes place. If an uncovered protocol attack exists, the rule detection first identifies it and outputs that it is uncovered. Then, the baseline detection runs to indicate that it is an uncovered attack. Finally, the rule detection evolves and classifies the uncovered detection. Additionally, to further reduce time consumption, the first and second steps can be performed simultaneously, which will require more computational resources.

Algorithm 1 Self-evolving classification algorithm.

1: Input: Normal, covered attack, undetected protocol data. 2: Extract protocol features [21]. 3: Train the AE-based baseline detection model described in Section 5.1 with normal features. 4: Train the CNN and BiLSTM rule detection models described in Section 5.2 with the features of covered attacks. 5: Input the undetected protocol features of 6G NTNs. 6: if matches the covered rules then 7:    Output: CNN and BiLSTM models output the matched protocol attack. 8:    Break. 9:    if matches the baseline then 10:       Output: AE model outputs normal traffic. 11:       Break. 12:    else 13:       Self-attention model described in Section 5.2 self-evolves based on Equation (5). 14:       Rule detection method described in Section 5.2 classifies uncovered protocol attacks of 6G NTNs. 15:    end if 16: end if 17: Output: Classification results.

6. Online Identification Method

In the proposed interpretable detection framework, an intrinsically interpretable identification method is designed to capture and output anomalous protocol sequences during the detection process. To achieve this, since all XAI frameworks are extrinsic and cannot be adopted directly, the main principles used to design an intrinsic anomaly identification method for 6G NTN protocols are analyzed as follows.

The original information of the protocol signals is input instead of the instantaneous envelope and statistical features. The inputs with positive contributions can be inverted to retrieve the original protocol, namely, the anomalous protocol sequences. Additionally, inputs must be formatted to ensure compatibility with the DL models.

Inputs are processed with the original protocol information efficiently in the DL models. To reduce the computational load associated with the original protocol data, inputs can be segmented into static and dynamic parts on the basis of their variability during 6G NTN operations. The model can be trained to predict the static parts offline, whereas the dynamic parts must be predicted in real time.

The identification and detection processes are synchronized. An inherently interpretable scheme that detects and interprets anomalous protocols simultaneously, namely, a network that directly identifies anomalous protocol sequences, is designed. Thus, the necessary conditions for real-time prevention can be achieved.

On the basis of these principles, the original protocol signal information is transformed into images and fed into the model, providing a rich context for tracing the input back to the anomalous data points. The identification method is structured as a two-layer architecture composed of a prediction layer and a detection layer; this method efficiently processes the input protocol data. In the detection layer, traditional in Section 7.1 calculations are replaced with XOR operations, enabling simultaneous identification and detection of anomalous protocol sequences. In the process of actively identifying anomalous data points, an XAI mechanism is employed to provide inherently interpretable baseline detection results, ensuring that the protocol data and original information can be tracked throughout the entire mapping process. This approach concurrently obtains the detection results and the corresponding anomalous protocol data, facilitating effective anomaly identification. In the following sections, we leverage the explainable framework to design a self-evolving method for classifying uncovered protocol attacks and develop an active approach for identifying anomalous protocol data, as shown in Figure 8.

6.1. Preprocessing on the Basis of Coding

Anomalies are embedded within 6G NTN protocol sequences instead of traffic features in attacks such as hijacking UE capability and sequence number desynchronization. Thus, the protocol sequences, not the traffic features, must serve as the inputs to detect and identify anomalies. However, the original protocol sequences contain unstructured descriptions, which are unsuitable for direct input into DL models.

To solve this problem, we need to convert 6G protocol sequences into images, which need to fulfill two demands: one is that a DL model can process it, and the other is to retain enough information to reverse back to protocol data. A single 6G protocol message consists of many sequences that include semantic English words, phrases, and special symbols as non-numeric components, along with numeric components. To preserve all this information, we utilize the one-hot encoding or ASCII encoding method to transform each message into a matrix. Each row of the matrix represents a sequence, and each column corresponds to a character in that sequence. For the non-numeric components, we first apply a regular expression tokenization algorithm to separate them, then use either one-hot encoding or ASCII encoding methods; for the numeric parts, we directly apply one-hot encoding or ASCII encoding methods. This encoding process converts both non-numeric and numeric components into unique binary vectors. Next, we combine the numeric and non-numeric vectors, group them in 8-bit segments, and pad the final group with zeros if it contains fewer than 8 bits. We then convert the grouped sub-vectors from binary to decimal, ensuring that the values fall within the range of [0, 255]. These can be represented via a grayscale image and then input into the DL model for anomaly detection. The grayscale image mapping serves as an intuitive example (e.g., mapping temporal signaling features to pixel intensity), but it can be replaced with graph embedding or other forms without affecting the core contribution.

The preprocessing method preserves the integrity of the protocol sequence information and ensures the reversibility of the mapping process. In addition, the images can be processed by the detection model. Therefore, the essential condition for identifying anomalous protocol sequences via XAI mechanisms is fulfilled.

6.2. Intrinsic Identification via a Dual-DNN Approach

With images serving as inputs, sufficient information is provided to trace the inputs back to the anomalous 6G NTN protocol sequences. However, the tracing method still needs to be designed, which can be achieved through the intrinsic explainable baseline detection process. This approach should simultaneously identify anomalous protocol sequences and provide explainable detection results. Additionally, the intrinsic explainable detection method must efficiently process the inputs, which contain information about the 6G NTN protocol that is richer than the abstracted information, such as statistical data or envelopes.

Therefore, we design a dual-DNN model to detect anomalies in 6G NTN protocol sequences efficiently. The proposed dual-DNN consists of two DNN models: the first DNN model is the prediction model, and the second model is the detection model.

The first model predicts the corresponding normal data for the data under detection. Among them, static fields can be obtained during training. Firstly, training the historical protocol data can acquire static information, which remains consistent across different terminals and network infrastructures. Secondly, the static data vary between various terminals and network infrastructures but remain unchanged within the same UE, and the infrastructure is obtained by training protocol data collected from the corresponding terminals and networks in the 6G network under detection. These static fields can be accomplished during training. But the dynamic fields varying across different communication protocol processes and even sequences still need to be predicted based on the information of the protocol data under detection. This prediction is completed during the online inference process.

To reduce computational complexity, the dual-DNN model predicts only the dynamic information of protocol sequences, whereas static information is directly obtained from the trained model. The dynamic baseline information predicted by the 1st DNN is then input into the 2nd DNN, at which point the information is combined with the static prediction results to generate a comprehensive representation of the normal baseline information.

For the 6G NTN protocol sequences, more than 95% of the fields are static. For example, in the NG application protocol (downlink NASTransport) signal sequence used during the registration process, as shown in Figure 9, only the information about the encryption algorithm identifier, integrity protection algorithm identifier, message authentication code, and sequence number is dynamic. Thus, the dual-DNN model can process the protocol signals efficiently.

In the second DNN model, convolutional computations are replaced with XOR operations. By comparing the predicted normal sequence with the sequence under detection, mismatched portions are identified as anomalous fields. If there is no attack, the detection matrix will be zero. Otherwise, there will be elements in the detection matrix that are one, corresponding to the anomalous signal fields. Lastly, the anomalous signal fields can be obtained by reversing the matrix to derive the protocol information. This approach not only detects anomalies but also localizes the exact positions of the anomalous fields. To identify the anomalous protocol fields, they are usually local, such as tampering with the sequence number, which is a specific protocol field. Therefore, the interpretable ability can be local or global, but it is necessary to target those anomalous protocol fields specifically. The proposed dual-DNN model is globally interpretable because the detection matrix includes the anomalous or normal state of all the protocol data.

To design the dual-DNN model, there is one base DNN model consisting of the input, output, and hidden layers, and the number of hidden layers is denoted by L. The activation function is Sigmoid.

The first DNN model uses the base DNN model directly. The input of the first DNN model is the data matrix mapping for the protocol data; each matrix corresponds to one protocol message, with dimensions equal to the number of lines in the protocol message and the ASCII-coded maximal line length of the sequences included by this message. The number of neurons in the hidden layer must be no less than the total number of elements contained in the input data matrix. The output of the first DNN model is the predicted normal matrix, which has the same dimensions as the input.

The second DNN model is designed to replace the convolution calculation with the XOR of the base DNN model. The model focuses on all the image sections instead of the image margins. The input for this second DNN model consists of the data matrix that requires detection and the corresponding predicted data matrix. Furthermore, the number of neurons in the hidden layer must be at least equal to the total number of elements in the input data matrix. For any layer l, $a^l$ is the output vector, which is also the input to the $l+1$th layer. The XOR operation is performed between the weights of the neurons in the $l+1$th layer. Further, the activation function denoted by f follows this operation to obtain $a^{l+1}$, which is given by

$$a^{l+1}=f\left({\omega }^l\oplus a^l\right),$$

(8)

where ${\omega }^l$ denotes the weight.

After performing the XOR calculation between the predicted data matrix and the data matrix to be detected, we obtain the detection result matrix. On the basis of the output of the 2nd DNN, a label is assigned to each grayscale value, with 0 and 1 indicating normal and anomalous points, respectively. Anomalies are highlighted in red. Because the grayscale-to-signal transformation is reversible, anomalous signal points can be precisely located.

With the former design, the intrinsic identify is achieved. The process is summarized below. The identification model begins with inputting an ASIC-encoded grayscale image, which is a matrix consisting of elements that are either zero or one. Then, the identification model continues to process, detect, and identify. One layer of the DNN predicts the expected value when the system is not under attack. In the second layer of the DNN, the predicted matrix and the input matrix undergo an XOR operation to output the detection matrix. If there is no attack, the detection matrix will be zero. Otherwise, there will be elements in the detection matrix that are one, corresponding to the anomalous signal fields. Lastly, the anomalous signal fields can be obtained by reversing the matrix to derive the protocol information.

7. Simulation Results

The efficiency of the proposed XAI-based detection framework for 6G NTN drones is validated from two aspects: the self-evolving classification of uncovered attacks and the online identification of anomalous protocol sequences.

The protocol data for simulation include the data for the UPF DoS case proposed in Section 3 and the open-source dataset CICIDS2017, as described in

Table 3. Simulation data.

Data		Roles	Features	Source	Scale
CICIDS 2017	BENIGN	Normal behavior	78 features [68]	Open-source	150,000
	DoS	Covered attack		Open-source	70,000
UPF DoS		Uncovered attack		Collected	33,494

.

The attack protocol data in the attack cases described in Section 3 are collected, which will be used to validate the designed methods. Thus, an experimental platform is established on one x86 computer with a simulated UE, a simulated RAN, and a 5G CN running on two virtual machines. One virtual machine hosts the simulated UE and RAN via UERANSIM, whereas the other is used to run the 5G CN using Open5GS software v2.6.4. We assume that the gNB is intruded and that the attacker delivers the MitM relay tool to the intruded gNB. The air interface between the MitM relay and the gNB is omitted. Then, the UPF DoS attack, protocol sequence tampering, and a normal case are implemented on the simulation platform. During the implementation of the three threat cases, the protocol data of the Ng interface are collected to verify the effectiveness of the proposed methods. The parameters are provided in

Table 4. Attack case parameters.

Case	${\mathit{n}}_{\mathbf{UE}}^{\mathbf{no}}$	${\mathit{n}}_{\mathbf{UE}}^{\mathbf{at}}$	${\mathit{n}}_{\mathbf{CN}}$	${\mathit{n}}_{\mathbf{BS}}$	Frequency
Normal	10	0	1	1	1/s
UPF DoS	10	50	1	1	100/s, 500/s and 1000/s
Protocol sequence tempering	10	0	1	1	N/A

, where $n_{\mathrm{UE}}^{\mathrm{no}}$, $n_{\mathrm{UE}}^{\mathrm{at}}$, $n_{\mathrm{CN}}$ and $n_{\mathrm{gNB}}$ represent the numbers of normal users, attacker users, CNs and BSs, respectively. To ensure that the input data are balanced, the undersampling method randomly selects an equal number of data samples from each case. More than 3,000,000 labeled flows are collected from the Ng interface via Wireshark, consisting of normal traffic data (806,205), UPF DoS data (1,595,999), hijack UE capacity data (6404), and sequence number desynchronization data (4384). With these data, the proposed methods are validated in Section 7.1 and Section 7.2.

This article evaluates the self-evolving classification and the online identification methods with the basic metrics, including the accuracy (denoted $r_{\mathrm{ACC}}$), precision (denoted $r_{\mathrm{PRE}}$), recall (denoted $r_{\mathrm{RE}}$), and F1 score (denoted $r_{\mathrm{F}1}$), which are formulated as

$$r_{\mathrm{ACC}}={\displaystyle \frac{n_{\mathrm{TP}}+n_{\mathrm{TN}}}{n_{\mathrm{TP}}+n_{\mathrm{TN}}+n_{\mathrm{FP}}+n_{\mathrm{FN}}}},r_{\mathrm{PRE}}={\displaystyle \frac{n_{\mathrm{TP}}}{n_{\mathrm{TP}}+n_{\mathrm{FP}}}},r_{\mathrm{RE}}={\displaystyle \frac{n_{\mathrm{TP}}}{n_{\mathrm{TP}}+n_{\mathrm{FN}}}},r_{\mathrm{F}1}={\displaystyle \frac{2r_{\mathrm{PRE}}{r}_{\mathrm{RE}}}{r_{\mathrm{PRE}}+r_{\mathrm{RE}}}},$$

(9)

where the numbers of true positives, false positives, true negatives, and false negatives are denoted $n_{\mathrm{TP}}$, $n_{\mathrm{FP}}$, $n_{\mathrm{TN}}$, and $n_{\mathrm{FN}}$, respectively.

7.1. Self-Evolving Classification

To evaluate the effectiveness of the self-evolving classification method for uncovered attacks (SECs) with the proposed XAI detection framework, CNN–BiLSTM-based [35] and Hoeffding Anytime Tree (HATT)-based [43] detection methods are used for comparison. The CNN–BiLSTM method is configured according to

Table 5. Configuration of models.

Category	Model	Parameter	Value
Rule detection	Self-Attention	Number of attention heads	4
		Attention dimension	64
		Hidden dimension	256
		Dropout rate	0.1
	CNN	Number of convolution kernels	32
		Convolution kernel size	3
	BiLSTM	Number of LSTM units	32
		Activation function	Softmax
Baseline detection	AutoEncoder	Loss function	MSE
		Norm regularization	L1-norm, L2-norm ($\lambda$ = 3)
		MSE threshold	90%
		Activation function	Sigmoid
	SHapley Additive exPlanations	Interpreter	Kernel Explainer
		Error threshold	0.5
		Number of abnormal samples to be explained	100
Training	N/A	Optimizer	Adam (lr = 0.001)
		Batch size	128
		Epochs	100

, and the HATT method is set as described in [43].

The performance of the proposed SEC method is validated with the basic detection metrics defined in Equation (9). Further, the classification performance of uncovered attacks is also assessed, where the basic metrics of classification and detection are equal for rule detection methods. For example, the accuracy of classification equals the accuracy of detection for rule detection methods. Besides, to evaluate the abstraction of fingerprint features related to uncovered protocol attacks, the contributions of these features are represented by the waterfall figure of the SHAP method. To assess the adjustable capability, the attention of the features of the rule detection model is also provided. Comparing the attention figures before and after the adjustment, it can be seen that the rule detection model has enhanced the fingerprint features of uncovered protocol attacks after the adjustment.

First, the detection performance of the SEC, CNN–BiLSTM, and HATT methods, namely, the average detection performance for uncovered attacks, is given in

Table 6. Detection performance for uncovered attacks with “↑” meaning increase.

Models	UPF DoS
	$r_{\mathrm{PRE}}$ (%)	$r_{\mathrm{REC}}$ (%)	$r_{\mathrm{F}1}$ (%)
CNN-BiLSTM	100	50.2	66.8
HATT	75.3	78.2	76.8
SEC	100	93.8	96.6
Improvement (SEC vs. CNN-BiLSTM)	0	$\uparrow 86.8$	$\uparrow 44.6$
Improvement (SEC vs. HATT)	$\uparrow 32.8$	$\uparrow 19.9$	$\uparrow 25.7$

. For the detection of UPF DoS attacks, the precision, recall, and F1 score are used to evaluate performance. Here, the accuracy is omitted since the accuracy is equal to the precision if only uncovered attacks are considered. The CNN–BiLSTM model exhibits high precision (100%) and low recall (50.2%) for UPF DoS attacks, indicating that many of these uncovered attacks are missed, leading to many missed detections. The HATT model has low precision (75.3%) and high recall (78.2%) for UPF DoS attacks. In contrast, the proposed SEC method achieves high precision (100%) and recall rates (93.8%) for UPF DoS attacks. These findings indicate that the SEC method can accurately detect almost all uncovered attacks while maintaining a low false positive rate. This balance results in an F1 score of 96.6%, which is 44.6% and 25.7% higher than those of the CNN–BiLSTM and HATT methods on average, respectively. The detection performance metrics of the SEC method are better than those of the CNN–BiLSTM and HATT methods because the SEC method utilizes the fingerprint features of the uncovered attacks extracted from the detection process. Thus, the SEC model can detect and classify uncovered attacks efficiently.

Next, we evaluate the performance of the proposed SEC in extracting the fingerprint features. After the baseline model detects the uncovered protocol attacks, the XAI mechanism used in the baseline detection model is used to capture the fingerprint features of these attacks. Figure 10 illustrates the quantitative contributions of the protocol features for the detected UPF DoS attacks across our dataset when the system is under UPF DoS. The red and blue bars represent the positive and negative contributions to the detection results. The protocol features with positive and negative contributions to the detection results are defined as the positive and negative fingerprint features, respectively. In the case of the UPF DoS attack, the positive fingerprint features are numbered 2, 3, 8, 17, 42, 69, and 78 [68], which are Flow Duration, Total Fwd Packets, Fwd Packet Length Mean, Flow IAT Mean, Packet Length Std, Act Data Pkt Fwd, and Idle Min. The negative fingerprint features are numbered 39 and 48 [68], which are Min Packet Length and ACK Flag Count, with reduced attention to negative fingerprint features during the rule detection process, as described in the following subsection.

To assess the effectiveness of the self-evolving features in the rule detection method, we compared the attention maps before and after the self-evolving method based on the fingerprint characteristics was applied, as shown in Figure 11 and Figure 12. The color intensity in these figures indicates the degree of attention: brighter colors represent greater attention and thus more significant influence on the prediction results, whereas darker colors signify less attention and thus less contribution to the prediction results. Based on these feature contributions revealed by Figure 10, we have adjusted our feature attention strategy by shifting focus from Figure 11 to Figure 12, increasing attention to positively contributing features while decreasing focus on negative contributors. Figure 11 shows the attention map for covered DoS attacks before the self-evolving method is applied. The rule detection model focuses the most on features numbered 4, 23, 39, 41, 55, and 78 [68], which are Total Backward Packets, Fwd IAT Std, Min Packet Length, Packet Length Mean, AvgBwdSegmentSize, and IdleMin, as highlighted by the brighter colors in the plots. After the self-evolving method is applied to classify UPF DoS attacks, the attention given to features numbered 39 and 48 [68]—which are Min Packet Length and ACK Flag Count—is reduced, as indicated by the darker colors, and the attention given to features numbered 2, 3, 8, 17, 42, 69, and 78 [68]—which are Flow Duration, Total Fwd Packets, Fwd Packet Length Mean, Flow IAT Mean, Packet Length Std, Act Data Pkt Fwd, and Idle Min,—is increased, as highlighted by the brighter colors, as shown in Figure 12. Thus, the rule detection method can dynamically reassign more attention to features with higher positive contributions and reduce the attention given to features with negative contributions. This enhances its effectiveness in detecting and classifying uncovered anomalies.

7.2. Online Identification

The performance of the proposed online identification method is assessed by the basic metrics defined in Equation (9). Further, the identification results are displayed for the two proposed protocol tamper attack cases: the tampered capacity of N1 mode 3GPP access and the tampered sequence number.

The first aspect is the detection performance, which is evaluated using three key metrics: the precision, recall, and F1 score. Figure 13 shows the detection performance in the hijacking UE capability and sequence number desynchronization attacks. The detection performance of the proposed intrinsic identification method is compared with that of the CNN and LSTM methods. In the hijacking UE capability case, the accuracy, recall, and F1 score of the proposed intrinsic scheme reach 96%, 1, and 98%, respectively. Compared with those of the CNN [38] and LSTM [33] methods, the precision is improved by 84% and 26%, respectively; the F1 score is increased by 46% and 14%, respectively; and the recall remains constant. The trends for the sequence number desynchronization case are similar to those for the hijacking UE capability case, where the proposed intrinsic scheme outperforms both the CNN and LSTM methods.

The second aspect is the identification performance, as shown in Figure 14 and Figure 15. The detection matrix is calculated using the bitwise XOR of the attack-free reference matrix (predicted by the identification model) and the test input matrix. Nonzero elements (logical ‘1’) in the resulting matrix indicate anomalous signal fields, which are then mapped back to their original signal domains through matrix inversion. The anomalous sections of the images are clearly highlighted in the two attack cases, hijacking the UE capability and sequence number desynchronization. This proves that the proposed detection scheme provides intrinsic explanations, and the corresponding detection and identification results are presented in the figures. The highlighted sections can be converted into protocol signal sequences. Thus, the anomalous signal sequences can be identified.

8. Conclusions

Given the serious security threats to drones using 6G NTN protocols, it is important to detect, classify, and identify protocol attacks. However, classifying uncovered protocol attacks and identifying anomalous protocol data remain challenging. To address these issues, this paper presents an interpretable anomaly classification and identification method for 6G NTN protocols. We design an interpretable anomaly detection framework that introduces XAI techniques and can be used in conjunction with existing detection methods, thereby ensuring both interpretability and cooperation with other approaches. Using this framework, we develop a self-evolving classification method to identify uncovered protocol attacks. The rule detection process and baseline detection results are made transparent through XAI technologies; this information is used synergistically to extract and learn from the fingerprint features of uncovered protocol attacks, and these features are used in the classification process. Additionally, an online identification method is designed within the proposed framework to capture and output anomalous protocol data during the detection process on the basis of an intrinsic interpretable model. The simulation results show that the proposed classification and identification methods can effectively classify uncovered protocol attacks and identify anomalous protocol sequences. Compared with existing methods, the precision of the self-evolving classification method is improved by a maximum of 32.8%, and that of the online identification method for anomalous protocol sequences is increased by at least 26%.