Microsoft Research, in collaboration with teams from Microsoft Defender Research and Microsoft Discovery & Quantum, has unveiled Project Ire—an autonomous artificial intelligence agent designed to analyze and classify software as malicious or benign without requiring human context or guidance. The system automates the process of reverse engineering, historically considered the gold standard in malware analysis, by using decompilers, binary analysis tools, and advanced language models to scrutinize the internal structure and behavior of software files.
Project Ire stands out from existing security solutions through its capacity to replicate the nuanced, judgment-driven analysis typically performed by expert human reverse engineers. Unlike other Artificial Intelligence-driven security tools that operate with clear validators or well-defined outcomes, determining malware status relies on incremental, evidence-based investigation due to the inherent ambiguity and adversarial nature of cyber threats. Project Ire’s architecture employs a suite of proprietary and open-source tools, including Microsoft’s memory analysis sandboxes, the Project Freta platform, and frameworks like angr and Ghidra to reconstruct software control flows and perform detailed function analysis. At each stage, it builds a comprehensible and auditable ‘chain of evidence’, helping both in classification and later secondary expert review.
Initial public dataset tests demonstrate Project Ire achieving a precision rate of 0.98 and recall of 0.83 when differentiating between malicious and benign Windows drivers—flagging just 2% of benign files incorrectly. In multiple real-world trials, including classifying nearly 4,000 challenging ‘hard-target’ files designated for human expert analysis, Project Ire identified almost 90% of flagged threats correctly, with a low 4% false positive rate. Reports generated for individual cases provide granular summaries of function-level behaviors and highlight suspicious patterns such as process manipulation, command and control activity, and anti-security functions.
Moving forward, Project Ire will be integrated into Microsoft Defender operations under the name Binary Analyzer. The roadmap envisions scaling the system to autonomously and accurately classify software from any source, including previously unseen threats, and advancing toward direct in-memory malware detection at a global scale. Microsoft credits developers and partners such as Emotion Labs for their contributions to the project’s cyber autonomy framework, emphasizing the potential for this approach to transform how organizations defend against evolving malware threats.
