Frankenstein : A Tale of Horror and Logic Programming ∗

Frankenstein is a new, more stealthy malware propagation system that evades feature-based detection through camouflage rather than mere diversity. Rather than mutating purely randomly as it propagates, it stitches together instruction sequences harvested from programs that have already been classified as benign by local defenses. The resulting mutants are each unique, yet fully composed of benign-looking code. This makes it hard for feature-based malware detectors to find a signature that reliably identifies all variants. Frankenstein relies on concepts from constraint logic programming to correctly and quickly identify potential instruction sequence orderings that produce behavior semantically equivalent to the original malware. This article presents the context for Frankenstein’s development, and explains how logic programming became the tool of choice for crafting a next-generation cyber weapon.