Microsoft has launched an autonomous agent for detecting malware – and it’s already completed a first-of-a-kind detection of an active hacking group.
Project Ire is an AI agent capable of reverse engineering software files to investigate whether they’re malicious and analyze their origins, even if they don’t match any previously-cataloged threats.
Powered by a combination of large language models (LLMs) and specialized cybersecurity analysis tools, the agent is intended to automate malware classification to ease cybersecurity analyst burnout.
In recent tests, Project Ire was exposed to known samples from a database hackers have used for living off the land attacks, alongside harmless Windows drivers.
The agent correctly flagged 90% of all files, with only a two percent false positive rate, confirming the malicious nature of files such as a kernel-level rootkit by identifying suspicious features like process termination and a web-connected command and control structure.
Microsoft researchers described its ability to blindly reverse engineer files as “the gold standard in malware classification”.
They added that Project Ire is the first reverse engineer at Microsoft to build a strong enough case against a specific advanced persistent threat (APT) malware strain to justify its automatic blocking in Windows Defender.
In a broader test, researchers exposed Project Ire to 4,000 files that were unclassified by Microsoft’s automated systems and would normally have to be reviewed by highly-skilled reverse engineers.
Project Ire achieved a precision score of 0.89, meaning 90% of the files it marked as malicious were indeed threats, alongside an overall recall score of 0.26 meaning it discovered around 25% of all the malware in the sample.
Microsoft noted the tool achieved these results autonomously, with none of the files it was exposed to having been present in its training data, adding that other autonomous tools made by Microsoft were unable to classify the files at all.
Project Ire was created as a joint project between Microsoft Research, Microsoft Defender Research, and Microsoft Discovery & Quantum.
Project Ire could shake up AI malware classification
Malware classification is a painstaking process, in which experts pore over hundreds or thousands of files to determine whether a given piece of software has a malicious purpose.
In the past it’s been nearly impossible to automate, as AI tools can’t easily reverse engineer files without their context. They also lack the ability to definitively validate whether a file is malicious, as specific features within software could have both malicious and benign purposes.
Microsoft has attempted to overcome these limitations through Project Ire by equipping it with multi-level reasoning capabilities and the ability to call open source tools, documentation, and decompilers via API calls.
Every time Project Ire analyzes a file, the agent first runs triage to classify it, note its structure, and capture any other details that could point to its purpose or origin.
It then reverse engineers the file’s control flow graph, a graphic representation of a program’s execution paths, using the open source frameworks angr and Ghidra.
Project Ire can then call specific tools via an API to investigate specific functions within the file, adding each finding to an auditable chain of evidence that human analysts can check afterward to validate the LLM’s findings.
It is capable of periodically cross-checking its own claims using a built-in ‘validator’ tool, which uses expert statements from human malware reverse engineers who helped build Project Ire as context for making a final call for whether the file is malicious or benign.
This is then summarized in a final report for analyst oversight.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
-
AWS CEO Matt Garman just said what everyone is thinking about AI replacing software developersNews Junior developers aren’t going anywhere, according to AWS CEO Matt Garman
-
Workday snaps up AI-powered conversation recruitment platform, ParadoxNews Workday will integrate Paradox’s AI-driven candidate experience agent to help deliver talent faster
-
Employee distraction is now your biggest cybersecurity riskNews Workplace distraction is the top reason organizations fall victim to cyber attacks, according to new research.
-
Apple just released an emergency patch for a zero-day exploited in the wild – here’s why you need to update nowNews Apple is warning millions of users of iPhones, iPads and Macs to update their software to protect against an out-of-bounds write vulnerability
-
Cyber teams are struggling to keep up with a torrent of security alertsNews Fragmented identity security processes are creating blind spots, and the proliferation of tools doesn't help
-
The Allianz Life data breach just took a huge turn for the worseNews Around 1.1 million Allianz Life customers are believed to have been impacted in a recent data breach, making up the vast majority of the insurer's North American customers.
-
US authorities just took down 'one of the most powerful DDoS botnets to ever exist’ with help from AWSNews The Rapper Bot botnet was responsible for a series of large-scale DDoS attacks on government agencies and tech companies. Now it's gone.
-
Flaw in Lenovo’s customer service AI chatbot could let hackers run malicious code, breach networksNews Hackers abusing the Lenovo flaw could inject malicious code with just a single prompt
-
UK telecoms firm takes systems offline after cyber attackNews The Warlock ransomware group said it was selling a million stolen documents
-
Everything we know about the Workday data breach so far
News HR technology firm Workday has confirmed a data breach after threat actors gained access to a third-party CRM platform.
