This study addresses the limitations of existing security monitoring approaches for low Earth orbit (LEO) satellite constellations, which are predominantly confined to the physical layer and thus ineffective against network-layer and sophisticated composite attacks, while also lacking validation with real-world data. To overcome these challenges, this work proposes a lightweight, cross-layer behavioral fingerprinting framework that, for the first time, integrates physical-layer measurements with network-layer telemetry to enable low-overhead anomaly detection. The method employs an unsupervised Mahalanobis distance–based algorithm, enhanced by orbital simulation and fusion of multi-source heterogeneous features, making it suitable for multi-operator cooperative environments. Evaluated on Starlink, Kuiper, and multi-operator scenarios, the approach achieves recall rates of 99.5%, 99.4%, and 94.8%, respectively, with false positive rates consistently below 0.7%.

Low-Earth Orbit (LEO) mega-constellations such as Starlink by SpaceX and Kuiper by Amazon rely on optical Inter-Satellite Links (ISLs) for autonomous mesh routing to provide low-latency telecommunication, Internet of Things (IoT), and security services globally. As commercial operators and governments deploy increasingly dense constellations and form multi-operator peering coalitions, ISL integrity becomes critical to both commercial availability and national security. However, there is a lack of real-world data for LEO constellations and existing real-time security approaches focus strictly on physical layer security, leaving blind spots in the coverage of network-layer and composite attacks. In this paper, we present a cross-layer, lightweight behavioral fingerprinting framework that fuses onboard physical-layer measurements with network-layer data to detect anomalies at low computational overhead. We construct an orbital simulation covering the first shells of Starlink (1,584 satellites), Kuiper (1,156 satellites), and a joint multi-operator peering scenario (2,740 satellites), injecting ten attack types that span spoofing, traffic manipulation, and routing subversion at varying severity. We evaluate three unsupervised, per-satellite detectors among which our Mahalanobis-distance-based detector achieves 99.5% recall on Starlink, 99.4% on Kuiper, and 94.8\% on the multi-operator constellation, while maintaining False Positive Rates (FPR) below 0.7%. Our results demonstrate that cross-layer feature fusion is not only necessary for comprehensive security of LEO constellations but highly cost-effective for large-scale networks while fitting into the strict onboard energy budgets of resource-constrained satellites.