Abstract: Network attacks that employ covert techniques to against security detections and achieve long-term latency and information theft have become major security issues in the current network. There are currently three challenges in this field. The strong concealment of the attack makes it difficult to detect, massive communication data in a high-speed network environment makes it difficult to build a detection model in a fine-grained manner, and the persistence and complexity of covert communication make the lack of tag data and increase the difficulty of model construction. Aiming at the above problems, based on the statistical analysis of campus network traffic, this paper describes and studies the hidden communication behavior based on covert conversation, and proposes a hidden communication behavior detection method. The original session flow is aggregated by parallelized session flow aggregation algorithm, and the covert communication behavior is characterized from the perspective of concentration trend and dispersion degree. The tag propagation algorithm is introduced to extend the tag data, and finally the multi-class detection model is constructed. The simulation results and the experiments in real network environment verify the detection effect of the method on the hidden communication behavior.