Microsoft developed Project Ire: an autonomous AI system that detects malware through complete reverse engineering without human intervention.
Researchers at Microsoft have developed an autonomous AI system that can independently recognize malware. The system is named Project Ire. Unlike traditional detection tools, the AI agent performs full reverse engineering without prior knowledge of the software file.
Project Ire uses advanced language models in combination with analysis and reverse engineering tools such as the open-source frameworks Ghidra and angr. The AI reconstructs the control flow of software, analyzes functions, and builds a chain of evidence to substantiate an assessment. This approach allows for the identification of complex malware without human intervention.
Accurate Results
In a practical test, Project Ire was assigned nearly 4,000 difficult-to-analyze software files, which typically require human analysis. The system achieved a precision of 0.89 and a recall of 0.26. In layman’s terms: 89 percent of the code identified as malware was indeed malware, and of all the malware present in the test samples, the AI was able to find 26 percent.
In the test, only difficult samples were used. The effectiveness of Project Ire on a classic set of test samples is much higher with a recall of 83 percent and a precision of 98 percent. The AI can also produce detailed reports that substantiate the classification conclusion step by step. Thanks to this transparency, it is not difficult to subject the findings to an audit.
Ready for Practice
The initial results show potential for large-scale, autonomous malware classification, with a clear trail of evidence and validation possibilities by security teams. Project Ire specifically demonstrates significant added value as an additional component for assessing potential malware. As a step before human intervention, the system can already correctly filter a quarter of the malware, without too many false positives.
Microsoft therefore wants to deploy Project Ire as an internal analysis tool within the Defender ecosystem under the name Binary Analyzer. The ultimate goal is to analyze suspicious software directly from memory at first contact moments, without manual intervention.