Microsoft’s Project Ire uses AI to autonomously reverse engineer and classify software as malicious or benign.
Microsoft announced Project Ire, an autonomous artificial intelligence (AI) system that can autonomously reverse engineer and classify software.
Project Ire is an LLM-powered autonomous malware classification system that uses decompilers and other tools, reviews their output, and determines the nature of the software.
“Today, we are excited to introduce an autonomous AI agent that can analyze and classify software without assistance, a step forward in cybersecurity and malware detection.” reads the announcement. “The prototype, Project Ire, automates what is considered the gold standard in malware classification: fully reverse engineering a software file without any clues about its origin or purpose.”
Project Ire was developed by Microsoft’s research and security teams, uses AI and reverse engineering tools to classify malware with 0.98 precision and 0.83 recall. Microsoft pointed out that the system is its first reverse engineer, human or machine, to author a conviction case for APT malware, leading to automatic blocking by Microsoft Defender. Built on collaborations like GraphRAG and Microsoft Discovery, it merges AI with global malware telemetry for advanced threat detection.
The Tech giant states that Microsoft Defender scans over a billion devices monthly, but malware classification still relies heavily on expert review due to the complexity and ambiguity of threats. Analysts face fatigue and burnout from manual work, especially since many behaviors in software don’t clearly signal if they’re malicious. Unlike other AI security tasks, malware classification lacks definitive validation, making automation difficult and highlighting the need for scalable, intelligent solutions.
“Project Ire attempts to address these challenges by acting as an autonomous system that uses specialized tools to reverse engineer software. The system’s architecture allows for reasoning at multiple levels, from low-level binary analysis to control flow reconstruction and high-level interpretation of code behavior.” continues the announcement. “Its tool-use API enables the system to update its understanding of a file using a wide range of reverse engineering tools, including Microsoft memory analysis sandboxes based on Project Freta, custom and open-source tools, documentation search, and multiple decompilers. “
Project Ire starts by using smart tools to figure out what a file is and how it works. It then maps out how the software runs using tools like angr and Ghidra [1]. As it digs deeper, it uses AI to study key parts of the software and builds a clear trail of evidence to show how it made its decision. This helps security experts double-check its work. Finally, it cross-checks its findings and writes a full report, saying whether the software is safe or harmful.
The AI-based system was tested on a set of Windows drivers, including malicious ones from the Living off the Land Drivers database and safe ones from Windows Update, to evaluate its ability to classify malware accurately.
“This classifier performed well, correctly identifying 90% of all files and flagging only 2% of benign files as threats. It achieved a precision of 0.98 and a recall of 0.83. This low false-positive rate suggests clear potential for deployment in security operations, alongside expert reverse engineering reviews.” concludes the announcement. For each file it analyzes, Project Ire generates a report that includes an evidence section, summaries of all examined code functions, and other technical artifacts.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Project Ire)
