Microsoft on Tuesday unveiled Project Ire, a prototype autonomous AI agent that can analyze software files in order to determine whether they hide malware.
According to Microsoft, Project Ire can autonomously reverse engineer and classify software without any prior context, automating and scaling what can be a complex process.
Project Ire was developed by teams at Microsoft Research, Microsoft Defender Research, and Microsoft Discovery & Quantum.
It uses decompilers and other tools to gather data that enables it to determine whether a file is benign or malicious, while also providing a traceable chain of evidence.
“The system’s architecture allows for reasoning at multiple levels, from low-level binary analysis to control flow reconstruction and high-level interpretation of code behavior,” Microsoft explained.
It added, “Its tool-use API enables the system to update its understanding of a file using a wide range of reverse engineering tools, including Microsoft memory analysis sandboxes based on Project Freta, custom and open-source tools, documentation search, and multiple decompilers.”
Project Ire’s goal is to reduce analyst error and fatigue, accelerate threat response, and strengthen defenses against evolving attacks, Microsoft said.
In tests conducted by the tech giant on a dataset of Windows drivers that included both malicious and benign software, Project Ire correctly identified 90% of files and only flagged 2% of the benign files as dangerous.
In a different test targeting roughly 4,000 files that had been lined up for reverse engineering and analysis by human experts, Project Ire correctly flagged 9 out of 10 malicious files as malicious, with a false positive rate of only 4%. However, it was only able to detect approximately a quarter of all actual malware.
Microsoft admitted that the overall performance was moderate, but argued that the testing conditions were challenging and the results still indicate “real potential for future deployment”.
“Based on these early successes, the Project Ire prototype will be leveraged inside Microsoft’s Defender organization as Binary Analyzer for threat detection and software classification,” Microsoft said.
“Our goal is to scale the system’s speed and accuracy so that it can correctly classify files from any source, even on first encounter. Ultimately, our vision is to detect novel malware directly in memory, at scale,” it added.
Related: Microsoft Offers $5 Million at Zero Day Quest Hacking Contest
Related: Microsoft Boosts .NET Bounty Program Rewards to $40,000
Related: Microsoft to Preview New Windows Endpoint Security Platform After CrowdStrike Outage
