Covert channels are created using packet header manipulation, having some serious drawbacks of detectability. TCP/IP header follows strict seam tics, if it is manipulate by a single bit, semantics will not seem to be a normal distribution. Here we are proposed the IP-ID Reference Model as a new way covert communication. This model is implemented in Linux kernel 3.0, as a proof of concept. The idea of our proposed model is, sender is not actually embedding the covert message into IPV4 Identification (ID) field, instead of that it uses its reference to convey the covert message to the receiver.
So this field is observed as a normal packet distribution and can be created by any Linux or BSD Kernel. In a proof of concept, we develop Linux Loadable Kernel Modules (LKM) and application layer utility for generatingnetwork traffic with existing Linux kernel. Our embedding algorithm is not modifying a single bit of IPV4 identification (ID) field, so the structure and non-uniformity of this field is maintain.