Microsoft has unveiled Undertaking Ire, an autonomous AI agent able to reverse engineering and classifying malware at an unprecedented scale.
The breakthrough system achieved a precision fee of 0.98 and a recall of 0.83 throughout testing on Home windows drivers, marking a major development in cybersecurity automation.
Undertaking Ire represents the primary AI system to writer a conviction case robust sufficient for automated malware blocking, efficiently figuring out superior persistent risk (APT) samples that Microsoft Defender has since blocked throughout their billion-device community.
Key Takeaways1. Undertaking Ire mechanically analyzes and identifies malware utilizing superior decompilation instruments.2. Achieved 98% precision in testing with solely 4% false positives on difficult real-world samples.3. Deploying throughout Microsoft Defender’s 1 billion machine community to automate risk detection.
Automated Malware Evaluation
Undertaking Ire operates by way of a complicated toolkit of reverse engineering devices, together with the angr framework, Ghidra decompiler, and Microsoft’s proprietary reminiscence evaluation sandboxes primarily based on Undertaking Freta.
The system constructs detailed management move graphs to map software program habits, enabling complete binary evaluation with out human intervention.
By means of its tool-use API, Undertaking Ire can invoke specialised features to look at file constructions, reconstruct execution paths, and determine malicious code patterns.
The AI agent employs iterative perform evaluation, systematically inspecting every part whereas constructing a “chain of proof” for auditable decision-making.
This strategy permits the system to deal with advanced samples like Trojan:Win64/Rootkit.EH!MTB (SHA256: 86047bb1969d1db455493955fd450d18c62a3f36294d0a6c3732c88dfbcc4f62), the place it efficiently recognized kernel-level rootkit behaviors together with course of termination features and HTTP command-and-control communications.
Throughout analysis in opposition to almost 4,000 “hard-target” recordsdata that stumped automated programs, Undertaking Ire achieved 0.89 precision with only a 4% false constructive fee.
The system appropriately categorised samples like HackTool:Win64/KillAV!MTB (SHA256: b6cb163089f665c05d607a465f1b6272cdd5c949772ab9ce7227120cf61f971a), figuring out features that terminate antivirus processes by looking for particular executable names, together with ‘avp.exe’ and ‘360Tray.exe’.
Undertaking Ire’s validator device cross-references findings in opposition to professional data, making certain accuracy in advanced eventualities.
When analyzing anti-debugging mechanisms involving software program interrupts (int 0x29 and int 0x3), the system appropriately flagged unsure claims for human overview, demonstrating subtle uncertainty dealing with.
Integration Into Microsoft Defender
The prototype can be deployed as Binary Analyzer inside Microsoft’s Defender group, addressing analyst burnout and standardizing risk classification throughout international operations.
Constructed on the identical agentic basis as GraphRAG and Microsoft Discovery, Undertaking Ire leverages giant language fashions with specialised safety experience.
Microsoft’s collaboration with Emotion Labs contributed essential improvements in cyber autonomy, whereas the system incorporates a number of open-source instruments, together with decompilers and binary evaluation frameworks.
The last word purpose includes detecting novel malware immediately in reminiscence at a worldwide scale, reworking how organizations defend in opposition to evolving cyber threats by way of autonomous AI-driven evaluation.
Equip your SOC with full entry to the most recent risk knowledge from ANY.RUN TI Lookup that may Enhance incident response -> Get 14-day Free Trial
