Microsoft has launched an autonomous agent for detecting malware – and it’s already completed a first-of-a-kind detection of an active hacking group.
Project Ire is an AI agent capable of reverse engineering software files to investigate whether they’re malicious and analyze their origins, even if they don’t match any previously-cataloged threats.
Powered by a combination of large language models (LLMs) and specialized cybersecurity analysis tools, the agent is intended to automate malware classification to ease cybersecurity analyst burnout.
In recent tests, Project Ire was exposed to known samples from a database hackers have used for living off the land attacks, alongside harmless Windows drivers.
The agent correctly flagged 90% of all files, with only a two percent false positive rate, confirming the malicious nature of files such as a kernel-level rootkit by identifying suspicious features like process termination and a web-connected command and control structure.
Microsoft researchers described its ability to blindly reverse engineer files as “the gold standard in malware classification”.
They added that Project Ire is the first reverse engineer at Microsoft to build a strong enough case against a specific advanced persistent threat (APT) malware strain to justify its automatic blocking in Windows Defender.
In a broader test, researchers exposed Project Ire to 4,000 files that were unclassified by Microsoft’s automated systems and would normally have to be reviewed by highly-skilled reverse engineers.
Project Ire achieved a precision score of 0.89, meaning 90% of the files it marked as malicious were indeed threats, alongside an overall recall score of 0.26 meaning it discovered around 25% of all the malware in the sample.
Microsoft noted the tool achieved these results autonomously, with none of the files it was exposed to having been present in its training data, adding that other autonomous tools made by Microsoft were unable to classify the files at all.
Project Ire was created as a joint project between Microsoft Research, Microsoft Defender Research, and Microsoft Discovery & Quantum.
Project Ire could shake up AI malware classification
Malware classification is a painstaking process, in which experts pore over hundreds or thousands of files to determine whether a given piece of software has a malicious purpose.
In the past it’s been nearly impossible to automate, as AI tools can’t easily reverse engineer files without their context. They also lack the ability to definitively validate whether a file is malicious, as specific features within software could have both malicious and benign purposes.
Microsoft has attempted to overcome these limitations through Project Ire by equipping it with multi-level reasoning capabilities and the ability to call open source tools, documentation, and decompilers via API calls.
Every time Project Ire analyzes a file, the agent first runs triage to classify it, note its structure, and capture any other details that could point to its purpose or origin.
It then reverse engineers the file’s control flow graph, a graphic representation of a program’s execution paths, using the open source frameworks angr and Ghidra.
Project Ire can then call specific tools via an API to investigate specific functions within the file, adding each finding to an auditable chain of evidence that human analysts can check afterward to validate the LLM’s findings.
It is capable of periodically cross-checking its own claims using a built-in ‘validator’ tool, which uses expert statements from human malware reverse engineers who helped build Project Ire as context for making a final call for whether the file is malicious or benign.
This is then summarized in a final report for analyst oversight.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
-
Hounslow Council partners with Amazon Web Services (AWS) to build resilience and transition away from legacy techSpomsored One of the most diverse and fastest-growing boroughs in London has completed a massive cloud migration project. Supported by AWS, it was able to work through any challenges
-
Salesforce targets better data, simpler licensing to spur Agentforce adoptionNews The combination of Agentforce 360, Data 360, and Informatica is more context for enterprise AI than ever before
-
HPE selects CrowdStrike to safeguard high-performance AI workloadsNews The security vendor joins HPE’s Unleash AI partner program, bringing Falcon security capabilities to HPE Private Cloud AI
-
The Scattered Lapsus$ Hunters group is targeting Zendesk customers – here’s what you need to knowNews The group appears to be infecting support and help-desk personnel with remote access trojans and other forms of malware
-
Impact of Asahi cyber attack laid bare as company confirms 1.5 million customers exposedNews No ransom has been paid, said president and group CEO Atsushi Katsuki, and the company is restoring its systems
-
If you're not taking insider threats seriously, then the CrowdStrike incident should be a big wake up callNews CrowdStrike has admitted an insider took screenshots of systems and shared them with hackers, and experts say it should serve as a wake up call for enterprises globally.
-
Shai-Hulud malware is back with a vengeance and has hit more than 19,000 GitHub repositories so far — here's what developers need to knowNews The malware has compromised more than 700 widely-used npm packages, and is spreading fast
-
Security experts claim the CVE Program isn’t up to scratch anymore — inaccurate scores and lengthy delays mean the system needs updatedNews CVE data is vital in combating emerging threats, yet inaccurate ratings and lengthy wait times are placing enterprises at risk
-
The US, UK, and Australia just imposed sanctions on a Russian cyber crime group – 'we are exposing their dark networks and going after those responsible'News Media Land offers 'bulletproof' hosting services used for ransomware and DDoS attacks around the world
-
Thousands of ASUS routers are being hijacked in a state-sponsored cyber espionage campaignNews Researchers believe that Operation WrtHug is being carried out by Chinese state-sponsored hackers
