Microsoft has launched an autonomous agent for detecting malware – and it’s already completed a first-of-a-kind detection of an active hacking group.
Project Ire is an AI agent capable of reverse engineering software files to investigate whether they’re malicious and analyze their origins, even if they don’t match any previously-cataloged threats.
Powered by a combination of large language models (LLMs) and specialized cybersecurity analysis tools, the agent is intended to automate malware classification to ease cybersecurity analyst burnout.
In recent tests, Project Ire was exposed to known samples from a database hackers have used for living off the land attacks, alongside harmless Windows drivers.
The agent correctly flagged 90% of all files, with only a two percent false positive rate, confirming the malicious nature of files such as a kernel-level rootkit by identifying suspicious features like process termination and a web-connected command and control structure.
Microsoft researchers described its ability to blindly reverse engineer files as “the gold standard in malware classification”.
They added that Project Ire is the first reverse engineer at Microsoft to build a strong enough case against a specific advanced persistent threat (APT) malware strain to justify its automatic blocking in Windows Defender.
In a broader test, researchers exposed Project Ire to 4,000 files that were unclassified by Microsoft’s automated systems and would normally have to be reviewed by highly-skilled reverse engineers.
Project Ire achieved a precision score of 0.89, meaning 90% of the files it marked as malicious were indeed threats, alongside an overall recall score of 0.26 meaning it discovered around 25% of all the malware in the sample.
Microsoft noted the tool achieved these results autonomously, with none of the files it was exposed to having been present in its training data, adding that other autonomous tools made by Microsoft were unable to classify the files at all.
Project Ire was created as a joint project between Microsoft Research, Microsoft Defender Research, and Microsoft Discovery & Quantum.
Project Ire could shake up AI malware classification
Malware classification is a painstaking process, in which experts pore over hundreds or thousands of files to determine whether a given piece of software has a malicious purpose.
In the past it’s been nearly impossible to automate, as AI tools can’t easily reverse engineer files without their context. They also lack the ability to definitively validate whether a file is malicious, as specific features within software could have both malicious and benign purposes.
Microsoft has attempted to overcome these limitations through Project Ire by equipping it with multi-level reasoning capabilities and the ability to call open source tools, documentation, and decompilers via API calls.
Every time Project Ire analyzes a file, the agent first runs triage to classify it, note its structure, and capture any other details that could point to its purpose or origin.
It then reverse engineers the file’s control flow graph, a graphic representation of a program’s execution paths, using the open source frameworks angr and Ghidra.
Project Ire can then call specific tools via an API to investigate specific functions within the file, adding each finding to an auditable chain of evidence that human analysts can check afterward to validate the LLM’s findings.
It is capable of periodically cross-checking its own claims using a built-in ‘validator’ tool, which uses expert statements from human malware reverse engineers who helped build Project Ire as context for making a final call for whether the file is malicious or benign.
This is then summarized in a final report for analyst oversight.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
-
The move to a digital network and its role in the bigger picture of achieving true digital transformation: how SMBs can set themselves up for successSupported Beyond the dial tone, the digital switchover is the key to SMB success
-
Middlesbrough Council boosts cybersecurity spending, strategy in response to repeated cyberattacksReviews Councils across the UK have publicly struggled with maintaining services in the face of major cyber disruption
-
A malicious MCP server is silently stealing user emailsNews Koi Security says it's discovered the first malicious MCP server in the wild, exposing a risk to the entire ecosystem
-
Cisco ASA customers urged to take immediate action as NCSC, CISA issue critical vulnerability warningsNews Cisco customers are urged to upgrade and secure systems immediately
-
NCA confirms arrest after airport cyber disruptionNews Disruption is easing across Europe following the ransomware incident
-
Cyber skills shortages are pushing firms into dangerous shortcuts – and it’s putting them at huge risk of security breachesNews Chronic cyber skills shortages mean many businesses are implementing quick fixes
-
Pentesters are now a CISOs best friend as critical vulnerabilities skyrocketNews Attack surfaces are expanding rapidly, but pentesters are here to save the day
-
Hackers are disguising malware as ChatGPT, Microsoft Office, and Google Drive to dupe workersNews Beware of downloading applications like ChatGPT, Microsoft Office applications, and Google Drive through search engines
-
Generative AI attacks are accelerating at an alarming rateNews Two new reports from Gartner highlight the new AI-related pressures companies face, and the tools they are using to counter them
-
A terrifying Microsoft flaw could’ve allowed hackers to compromise ‘every Entra ID tenant in the world’News The Entra ID vulnerability could have allowed full access to virtually all Azure customer accounts
