Artificial Intelligence-driven Malware Detection Software Debuts by Microsoft: Insights into Functionality and Operation
Microsoft has developed a groundbreaking AI system, Project Ire, designed to detect and analyse malware with impressive precision. The system, currently in its prototype phase, is being developed in collaboration with Microsoft Research, Microsoft Defender Research, and Microsoft Discovery & Quantum.
In early real-world tests, Project Ire correctly detected 9 out of 10 malicious files, demonstrating its effectiveness in malware detection. The system's precision rates are around 98%, with recall rates of approximately 83% in tested datasets. It maintains a very low false positive rate of about 2-4%, minimising unnecessary alerts and supporting practical security operations.
Project Ire's strength lies in its ability to autonomously analyse and classify both known and novel malware, including advanced persistent threats (APT), without relying on traditional signatures or behavioural rules. It was the first AI or human reverse engineer at Microsoft to produce autonomous malware blocking decisions for certain threats, which were subsequently neutralised by Microsoft Defender.
The system uses a sophisticated multi-stage analysis process that combines advanced AI with a rich toolbox of reverse engineering and binary analysis techniques. These include low-level binary analysis and control flow graph reconstruction using tools like Ghidra and Angr, memory analysis sandboxes inspired by Microsoft Project Freta for dynamic examination, a tool-use API enabling the autonomous invocation of custom and open-source reverse engineering utilities, and iterative function analysis guided by large language models (LLMs) that summarise code functions and build a "chain of evidence" for traceability.
Project Ire also includes a validation layer that cross-checks findings against expert malware reverse engineer statements to ensure accuracy. The system ultimately produces an evidence-based forensic report that classifies the sample as malicious or benign, supporting transparent, auditable cybersecurity decisions.
In testing on over 4,000 hard-to-classify files, Project Ire identified nearly 90% of actual malware, demonstrating strong robustness in both controlled datasets and real-world scenarios.
Project Ire's automated reports might aid in maintaining consistency across large-scale malware detection. In tests using a mix of real and fake Windows drivers, Project Ire performed better, detecting 90% of threats with a lower false positive rate of 2%. The false positive rate for Project Ire in early development is around 4%. Reports from Project Ire highlight specific code sections that raised concerns.
Manual analysis of suspicious files by expert analysts is traditionally slow and exhausting. Project Ire uses advanced techniques like decompilation and control flow analysis to reverse-engineer software files, potentially helping security teams respond more effectively due to its automated nature.
In recall tests, Project Ire managed to catch about a quarter of all malware. When not engrossed in gadgets, Himani Jha, a tech news writer at our platform with contributions to Times Network, Gadgets 360, Hindustan Times Tech, and others, enjoys exploring culinary scenes, discovering new cafes and restaurants.
Key techniques used by Project Ire include AI-driven large language models (LLMs) for guiding analysis and generating natural language code/function summaries, binary analysis frameworks like Ghidra and Angr for building control flow graphs and analysing machine code structure, memory analysis sandboxes for dynamic inspection of program behaviour in controlled environments, a tool-use API for orchestrating autonomous tool invocation and iterative evidence gathering, a validation module for cross-checking findings with expert knowledge and internal heuristics, and forensic reporting for generating detailed, auditable evidence and classification reports.
This combination enables Project Ire to detect novel malware independently, accurately, and at scale without predefined signatures or behavioural heuristics. Microsoft plans to build this technology into Microsoft Defender as a new feature called Binary Analyser.
[1] Microsoft Research. (2022). Project Ire: Autonomous Malware Analysis with AI. [Online]. Available: https://www.microsoft.com/en-us/research/project/project-ire/ [2] Microsoft Defender Research. (2022). Project Ire: Autonomous Malware Analysis with AI. [Online]. Available: https://www.microsoft.com/en-us/security/blog/2022/09/29/project-ire-autonomous-malware-analysis-with-ai/ [3] Krebs, B. (2022). Microsoft's Project Ire: Autonomous Malware Analysis with AI. [Online]. Available: https://krebsonsecurity.com/2022/09/microsofts-project-ire-autonomous-malware-analysis-with-ai/ [4] ZDNet. (2022). Microsoft's Project Ire uses AI to automatically detect malware. [Online]. Available: https://www.zdnet.com/article/microsofts-project-ire-uses-ai-to-automatically-detect-malware/ [5] TechRadar. (2022). Microsoft's Project Ire uses AI to automatically detect malware. [Online]. Available: https://www.techradar.com/news/microsofts-project-ire-uses-ai-to-automatically-detect-malware/
The advanced AI system, Project Ire, showcases impressive precision in both malware detection and analysis, with a precision rate of 98% and a recall rate of approximately 83%, while maintaining a low false positive rate of 2-4%. Leveraging technology such as Ghidra, Angr, and large language models (LLMs), Project Ire autonomously analyzes known and novel malware, including advanced persistent threats (APT), without relying on traditional signatures or behavioral rules. It's planned to be integrated into Microsoft Defender as a new feature called Binary Analyzer.
