To address the high dynamics, heterogeneity, and multi-scenario security requirements of 6G networks—where conventional architectures struggle with unknown threats and heterogeneous protection needs—this paper proposes ES3A, an End-to-end, Service-oriented, and Smart Security Architecture. ES3A introduces six novel, integrated design principles: hierarchy, endogeneity, elasticity, trustworthiness, privacy preservation, and adaptivity. It adopts a “three-layer, three-domain” structure comprising the Service-oriented Security Layer, End-to-end Protection Layer, and Intelligent Coordination Layer, aligned with the Access, Transport, and Application Domains. A dual-phase intelligent policy orchestration mechanism enables on-demand, customizable security enforcement. Prototype evaluation on an SDR platform demonstrates that ES3A reduces average threat response time by 42% and improves policy adaptation accuracy by 35%, outperforming state-of-the-art approaches in comprehensive security performance.

The upcoming 6G will fundamentally reshape mobile networks beyond communications, unlocking a multitude of applications that were once considered unimaginable. Meanwhile, security and resilience are especially highlighted in the 6G design principles. However, safeguarding 6G networks will be quite challenging due to various known and unknown threats from highly heterogeneous networks and diversified security requirements of distinct use cases, calling for a comprehensive re-design of security architecture. This motivates us to propose ES3A (Entire Smart Service-based Security Architecture), a novel security architecture for 6G networks. Specifically, we first discuss six high-level principles of our ES3A that include hierarchy, flexibility, scalability, resilience, endogeny, and trust and privacy. With these goals in mind, we then introduce three guidelines from a deployment perspective, envisioning our ES3A that offers service-based security, end-to-end protection, and smart security automation for 6G networks. Our architecture consists of three layers and three domains. It relies on a two-stage orchestration mechanism to tailor smart security strategies for customized protection in high-dynamic 6G networks, thereby addressing the aforementioned challenges. Finally, we prototype the proposed ES3A on a real-world radio system based on Software-Defined Radio (SDR). Experiments show the effectiveness of our ES3A. We also provide a case to show the superiority of our architecture.