To address the challenge of IPv6 extension headers being maliciously exploited for covert communication and evasion of detection—exacerbated by the scarcity of labeled data—this paper proposes a lightweight, real-world-attack-oriented covert traffic injection method and introduces the first data augmentation paradigm specifically designed for IPv6 covert channels. We design a multimodal fusion model integrating CNN-LSTM with tree-based classifiers and pioneer a generative AI–driven, prompt-engineering-based explainability framework for threat attribution and decision provenance. Evaluated on our self-constructed, open-source dataset, the model achieves over 90% detection accuracy, demonstrating robustness and generalizability under low-sample and highly variable attack conditions. Key contributions include: (1) behavior-preserving covert injection; (2) a novel IPv6 covert channel data augmentation paradigm; (3) a generative AI–enabled interpretability framework; and (4) a reproducible benchmark.

The flexibility and complexity of IPv6 extension headers allow attackers to create covert channels or bypass security mechanisms, leading to potential data breaches or system compromises. The mature development of machine learning has become the primary detection technology option used to mitigate covert communication threats. However, the complexity of detecting covert communication, evolving injection techniques, and scarcity of data make building machine-learning models challenging. In previous related research, machine learning has shown good performance in detecting covert communications, but oversimplified attack scenario assumptions cannot represent the complexity of modern covert technologies and make it easier for machine learning models to detect covert communications. To bridge this gap, in this study, we analyzed the packet structure and network traffic behavior of IPv6, used encryption algorithms, and performed covert communication injection without changing network packet behavior to get closer to real attack scenarios. In addition to analyzing and injecting methods for covert communications, this study also uses comprehensive machine learning techniques to train the model proposed in this study to detect threats, including traditional decision trees such as random forests and gradient boosting, as well as complex neural network architectures such as CNNs and LSTMs, to achieve detection accuracy of over 90%. This study details the methods used for dataset augmentation and the comparative performance of the applied models, reinforcing insights into the adaptability and resilience of the machine learning application in IPv6 covert communication. In addition, we also proposed a Generative AI-assisted interpretation concept based on prompt engineering as a preliminary study of the role of Generative AI agents in covert communication.