- Project Ire automates reverse engineering and classification of malware IA.
- Use LLMs, Ghidra, Angr, sandboxes, and an auditable chain of evidence.
- Performs with up to 98% accuracy in tests with drivers de Windows.
- It already works in Microsoft Defender as Binary Analyzer and will be expanded to memory.
Microsoft has taken a significant step in digital defense with Project Ire, a system of Artificial Intelligence thought for classify malware without human helpThe proposal comes at a time when threat identification requires time, expertise, and constant coordination between security teams.
The volume handled by the company's ecosystem is gigantic: the Defender platform examines each month more than XNUMX billion devices, which forces you to prioritize and filter alerts to avoid Analyst fatigue and errors due to overload. Project Ire It was created to alleviate this bottleneck without sacrificing technical rigor.
What is Project Ire and why it matters
Project Ire is an autonomous AI agent created by Microsoft Research together with teams from Defender and Discovery & Quantum. Its mission is to automate the reverse engineering of suspicious files. with advanced language models, binary analysis tools, and specialized APIs. To learn more about how Microsoft combats digital threats, visit scheduled scans in Microsoft Defender.
This approach makes it possible to tackle tasks that, until now, required weeks of manual labor: from the analysis of internal structures to the contrast of ambiguous behaviors. With this, organizations can accelerate critical decisions and reserve human experts for high-impact research.
How it works: from triage to technical opinion
The flow starts with a automatic file triage: identifies type, packaging, and areas of interest to guide the analysis. From there, it generates a control flow graph with tools like Ghidra and Angr that serve as a basis for understanding the internal logic of the binary. If you want to learn how to detect and remove suspicious files, check out How to detect and remove suspicious files.
In parallel, the agent invokes its own API to orchestrate decompilers, documentation search engines, and sandboxes, including memory environments such as Project Freta and custom analytics engines. All the information is dumped into a internal memory of the device that the system consults and reasons iteratively.
A key piece is the auditable chain of evidence: Every step, finding, and assessment is recorded so an analyst can track the reason for a verdict. Additionally, the system can trigger a internal validator contrasting his conclusions with typical statements used by reverse engineering experts.
Thanks to this architecture, Project Ire not only issues a classification, but it also contributes verifiable technical context which facilitates review, training of new analysts and continuous improvement of procedures.
Another distinctive feature is its self-correcting capacity: When you detect inconsistencies in your own reasoning, you can reanalyze parts of the binary, adjust hypotheses, and refine the outcome, thus reducing the risk of misinterpretation.
Real-life test results
In a first scenario with public Windows drivers, the system reached a 98% accuracy and 83% recall. Correctly classified around 90% of the files and barely generated a 2% false positives.
A second, tougher test brought together nearly 4.000 hard-target files without prior labels from automatic systems. There, Project Ire worked without assistance and achieved a 89% accuracy with a 4% false positives; although the recall was 26%, its low margin of error making it especially useful as an initial filter before human analysis.
Malware case studies analyzed
During validation, the agent classified advanced samples as Trojan:Win64/Rootkit.EH!MTB, identifying hooking techniques, modification of the Explorer.exe process and remote communication capabilities. In addition, it detected antivirus disabling tools, pinpointing the responsible code points. To learn more about the types of malware it can detect, visit types of malware.
The system also detected that, in an analysis, had misinterpreted a critical function and re-ran its validation, correcting the diagnosis. This improves its long-term reliability in real environments.
Impact and next steps in cybersecurity
More than an incremental advance, Project Ire marks a paradigm shift: automate tasks that required time, expertise, and extensive documentation. Microsoft already uses it within Defender as Binary Analyzer, having a direct impact on products in real use. To understand how this technology works, you can consult Complete bottleneck analysis and optimization with the Windows Performance Toolkit.
The project managers plan to expand their reach to malware in memory and operate at large-scale worldwide, guaranteeing traceability and control mechanisms that ensure the reliability of the process. The incorporation of advanced artificial intelligence in ciberseguridad It's a growing trend, and to dig deeper into this, visit Fast Support Malware.
By integrating these advances, a scenario is configured in which reliable automation allows you to improve efficiency without losing supervision, combining precision, traceability and continuous learning to raise the level of protection and offer analysts robust and efficient support.
Passionate writer about the world of bytes and technology in general. I love sharing my knowledge through writing, and that's what I'll do on this blog, show you all the most interesting things about gadgets, software, hardware, tech trends, and more. My goal is to help you navigate the digital world in a simple and entertaining way.