Aug 06, 2025Ravie LakshmananArtificial Intelligence / Menace Detection
Microsoft on Tuesday introduced an autonomous synthetic intelligence (AI) agent that may analyze and classify software program with out help in an effort to advance malware detection efforts.
The big language mannequin (LLM)-powered autonomous malware classification system, at present a prototype, has been codenamed Undertaking Ire by the tech big.
The system “automates what is taken into account the gold commonplace in malware classification: absolutely reverse engineering a software program file with none clues about its origin or function,” Microsoft stated. “It makes use of decompilers and different instruments, critiques their output, and determines whether or not the software program is malicious or benign.”
Undertaking Ire, per the Home windows maker, is an effort to allow malware classification at scale, speed up menace response, and scale back the handbook efforts that analysts should undertake to be able to look at samples and decide if they’re malicious or benign.
Particularly, it makes use of specialised instruments to reverse engineer software program, conducting evaluation at varied ranges, starting from low-level binary evaluation to manage movement reconstruction and high-level interpretation of code habits.
“Its tool-use API allows the system to replace its understanding of a file utilizing a variety of reverse engineering instruments, together with Microsoft reminiscence evaluation sandboxes primarily based on Undertaking Freta (opens in new tab), customized and open-source instruments, documentation search, and a number of decompilers,” Microsoft stated.
Undertaking Freta is a Microsoft Analysis initiative that permits “discovery sweeps for undetected malware,” comparable to rootkits and superior malware, in reminiscence snapshots of dwell Linux methods throughout reminiscence audits.
The analysis is a multi-step course of –
Automated reverse engineering instruments determine the file sort, its construction, and potential areas of curiosity
The system reconstructs the software program’s management movement graph utilizing frameworks like angr and Ghidra
The LLM invokes specialised instruments by way of an API to determine and summarize key capabilities
The system calls a validator software to confirm its findings in opposition to proof used to succeed in the decision and classify the artifact
The summarization leaves an in depth “chain of proof” log that particulars how the system arrived at its conclusion, permitting safety groups to evaluate and refine the method in case of a misclassification.
In checks carried out by the Undertaking Ire crew on a dataset of publicly accessible Home windows drivers, the classifier has been discovered to accurately flag 90% of all recordsdata and incorrectly determine solely 2% of benign recordsdata as threats. A second analysis of practically 4,000 “hard-target” recordsdata rightly labeled practically 9 out of 10 malicious recordsdata as malicious, with a false optimistic fee of solely 4%.
“Primarily based on these early successes, the Undertaking Ire prototype can be leveraged inside Microsoft’s Defender group as Binary Analyzer for menace detection and software program classification,” Microsoft stated.
“Our objective is to scale the system’s pace and accuracy in order that it could actually accurately classify recordsdata from any supply, even on first encounter. Finally, our imaginative and prescient is to detect novel malware immediately in reminiscence, at scale.”
The event comes as Microsoft stated it awarded a document $17 million in bounty awards to 344 safety researchers from 59 nations by way of its vulnerability reporting program in 2024.
A complete of 1,469 eligible vulnerability studies had been submitted between July 2024 and June 2025, with the very best particular person bounty reaching $200,000. Final 12 months, the corporate paid $16.6 million in bounty awards to 343 safety researchers from 55 nations.
