Microsoft Corp. introduced a new artificial intelligence agent on Tuesday that can analyze and classify malware in the wild at scale, without human intervention.
The newly minted AI model, named Project Ire, can reverse engineer suspect software files and use forensic tools such as decompilers and binary analysis to deconstruct the code in order to determine whether the file is hostile or safe.
“It was the first reverse engineer at Microsoft, human or machine, to author a conviction case — a detection strong enough to justify automatic blocking — for a specific advanced persistent threat malware sample, which has since been identified and blocked by Microsoft Defender,” the Ire research team said.
According to the company, when tested against a public dataset of Windows drivers, Project Ire achieved a precision of 0.98 and a recall of 0.83. In terms of pattern recognition and detection, this is very good. It means the software can determine that a file is bad about 98% of the time without a false positive. It was also reasonably likely to find malware about 83% of the time when it casts a net. So, it catches most threats, but it might miss a few.
Microsoft said its Defender platform, which is a suite of security tools that protects individuals and organizations from cyber threats, scans more than one billion devices monthly. This captures a constant stream of potential hostile files that must be routinely reviewed by experts.
“This kind of work is challenging,” the Ire team said. “Analysts often face error and alert fatigue, and there’s no easy way to compare and standardize how different people review and classify threats over time.”
Human reviewers have the benefit of creativity and adaptability that software validation cannot easily replicate against malware, which AI applications struggle to match. Many validation processes in malware detection are vague and often require human review, particularly because malware authors implement reverse engineering protections and other obstacles to hinder straightforward detection.
Project Ire uses advanced reasoning models to address these problems by stripping away these defenses using specialized tools like an engineer and autonomously evaluates their outputs as it iteratively attempts to classify the behavior of the software.
“For each file it analyzes, Project Ire generates a report that includes an evidence section, summaries of all examined code functions, and other technical artifacts,” the team said.
These technical artifacts could include conclusions such as, “The binary contains several functions indicative of malicious intent,” followed by direct evidence compiled from the forensic tools. For example, the agent might mention the inclusion of logging wrappers, targeted security process termination, anti-analysis behavior and more.
Putting Ire to a real-world test
In a real-world scenario involving 4,000 “hard target” files that had not been classified by automated systems and were pending expert review, the AI agent performed slightly worse than in controlled tests, yet still showed moderate effectiveness.
According to Microsoft, it achieved a precision of 0.89, meaning nine out of 10 files were correctly flagged as malicious. Its recall was 0.26, meaning that the system detected around a quarter of all actual malware that passed through its dragnet. It also had only a 4% false positive rate, which is when the software claims a safe file is malware.
“While overall performance was moderate, this combination of accuracy and a low error rate suggests real potential for future deployment,” the team said.
The introduction of Project Ire follows the unveiling of autonomous agentic AI security software from technology giants such as Google LLC and Amazon.com Inc. Google’s Big Sleep vulnerability discovery agent, launched last year, can proactively hunt for unknown software vulnerabilities. The company revealed last year that it identified a critical SQLite flaw based on data from the Google Threat Intelligence Group.
Microsoft reported that initial tests of Project Ire have shown promise, and the prototype will be used within Defender’s organization for threat detection and software classification. The goal will be to scale Ire’s speed and accuracy so it can correctly identify files at the source, even upon first encounter with no prior reference, while in memory and at large scale.
Image: Microsoft
Support our open free content by sharing and engaging with our content and community.
Join theCUBE Alumni Trust Network
Where Technology Leaders Connect, Share Intelligence & Create Opportunities
11.4k+
CUBE Alumni Network
C-level and Technical
Domain Experts
Connect with 11,413+ industry leaders from our network of tech and business leaders forming a unique trusted network effect.
SiliconANGLE Media is a recognized leader in digital media innovation serving innovative audiences and brands, bringing together cutting-edge technology, influential content, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — such as those established in Silicon Valley and the New York Stock Exchange (NYSE) — SiliconANGLE Media operates at the intersection of media, technology, and AI. .
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a powerful ecosystem of industry-leading digital media brands, with a reach of 15+ million elite tech professionals. The company’s new, proprietary theCUBE AI Video cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.