Security, Privacy and System-Level Resillience of 6G End-to-End System: Hexa-X-II Perspective

The sixth generation (6G) of mobile networks are being developed to overcome limitations in previous generations and meet emerging user demands. As a European project, the Smart Networks and Services Joint Undertaking (SNS JU) 6G Flagship project Hexa-X-II has a leading role for developing technologies and anchoring 6G end-to-end system. This paper summarizes the security, privacy and resilient (SPR) controls identified by Hexa-X-II project and their validation frameworks.

💡 Research Summary

The paper presents a comprehensive overview of the security, privacy, and system‑level resilience (SPR) controls identified within the European Hexa‑X‑II 6G flagship project and outlines the validation frameworks used to assess them. Hexa‑X‑II envisions the 6G end‑to‑end (E2E) system as a stack of four layers—infra‑structure, network‑function, application‑enablement platform, and application—each permeated by SPR functionalities.

Three architectural trends drive new threats: the “network of networks” (NoN) compositional pattern, the cloud‑continuum paradigm, and the disaggregation of the radio access network (RAN). To mitigate the resulting complexity, Hexa‑X‑II proposes formal security proofs and confidential computing mechanisms that guarantee correctness and trustworthiness of deployed services.

Physical‑layer security (PLS) and the novel Physical‑Layer Deception (PLD) technique are explored in depth. By exploiting ultra‑wideband channel state information (CSI) and applying machine‑learning classifiers, the project demonstrates environment‑aware secret‑key generation that adapts to obstacles, mobility, and channel conditions. PLD goes further: it uses a symmetric block cipher with a randomly selected key from a predefined pool, transmits ciphertext and plaintext in a way that makes them indistinguishable to an eavesdropper with poor channel quality, and can be randomly switched on or off to hide its activation. Simulations show PLD reduces leakage‑failure probability compared with conventional PLS, especially when the eavesdropping channel is relatively strong.

Artificial intelligence and machine learning (AI/ML) are recognized as both enablers and attack surfaces. Hexa‑X‑II focuses on trustworthy AI for 6G, emphasizing security, privacy, and explainability. Federated Learning (FL) is highlighted as a privacy‑preserving distributed training paradigm, yet it remains vulnerable to model poisoning and data poisoning attacks. Countermeasures such as anomaly detection (leveraging XAI), adaptive regularization, norm clipping, and weak differential privacy are proposed, though the authors note the difficulty of simultaneously achieving robustness and strong privacy guarantees.

Joint Communication and Sensing (JCAS) introduces unique privacy challenges because sensing data can be highly sensitive. The project defines a Sensing Policies, Control, and Transparency Management (SPCTM) network function, integrates it into the core, and evaluates the extended JCAS architecture using STRIDE (security) and LINDDUN (privacy) threat models. Mitigation strategies are suggested for identified risks.

A Level of Trust Assessment Function (LoTAF) is introduced to support cloud‑continuum scenarios. LoTAF acts as a neutral, bidirectional service that assists trustors (users) in making informed decisions and provides trustees (network operators) with compliance insights. Its operation consists of two phases: (i) semantic understanding, mapping, and knowledge‑graph representation of trust agreements; and (ii) continuous monitoring of service assurance, detecting deviations from agreed trust requirements and applying rewards or penalties to a dynamic “Level of Trust” score. LoTAF aligns with ITU‑T Y.3057 and Service Assurance for Intent‑Based Networking (IBN) standards.

Quantum‑resistant cryptography is addressed through the integration of post‑quantum cryptography (PQC) primitives into existing software stacks, notably TLS. Hexa‑X‑II evaluates the impact of PQC on network structure, operation, and performance, and explores synergies with Quantum Key Distribution (QKD) for adaptive key management during the long transition to quantum‑safe communications. Current experiments focus on availability and performance trade‑offs.

Distributed Ledger Technologies (DLTs) are investigated as a means to securely store and share network topology information among multiple stakeholders. By employing a private, permissioned ledger, topology changes are recorded as immutable transactions, ensuring that only authorized parties can modify configurations, thereby enhancing security and privacy in multi‑stakeholder scenarios.

For validation, Hexa‑X‑II integrates a comprehensive security framework that includes SecDevOps pipelines, declarative service‑specific privacy manifests, Threat Risk Assessor (TRA) outputs for privacy quantification, Zero‑Trust Security and Identity Management components for continuous trust evaluation, AI‑driven Security Orchestrators for function chaining, and Network Digital Twins (NDT) for “what‑if” scenario analysis. These tools enable continuous monitoring, automated mitigation, and quantitative assessment of privacy, security, and resilience throughout the service lifecycle.

In conclusion, the Hexa‑X‑II project delivers a holistic set of SPR controls—ranging from architectural safeguards, physical‑layer techniques, trustworthy AI, JCAS privacy management, trust assessment, quantum‑resistant cryptography, to DLT‑based configuration integrity—and validates them through a robust, multi‑layered evaluation platform. This work lays a solid foundation for building a secure, private, and resilient 6G end‑to‑end ecosystem.