Microsoft has introduced a groundbreaking prototype known as Project Ire—an autonomous AI agent designed to analyze software files and determine whether they contain malicious code.
Developed in collaboration by teams from Microsoft Research, Microsoft Defender Research, and Microsoft Discovery & Quantum, Project Ire is engineered to autonomously reverse-engineer and classify software, eliminating the need for prior context. This significantly streamlines and scales what is typically a complex and resource-intensive process.
To accomplish this, Project Ire leverages decompilers and reverse engineering tools that extract critical insights, enabling it to assess whether a file is benign or harmful. Additionally, it generates a traceable chain of evidence that supports its conclusions.
Microsoft described the system’s multi-layered approach: “Its architecture supports analysis across multiple levels—from low-level binary inspection to reconstructing control flow and interpreting higher-level code behavior.”
Through an extensive tool-use API, the agent integrates with a variety of tools—such as memory analysis sandboxes powered by Project Freta, open-source solutions, documentation search engines, and multiple decompilers—to continuously update its understanding of files under inspection.
The core aim of Project Ire is to minimize analyst errors, reduce fatigue, and enhance threat detection and response speed, especially in the face of increasingly sophisticated attacks.
In performance tests, Project Ire demonstrated promising capabilities:
- On a set of Windows drivers, it correctly classified 90% of files, with a false positive rate of just 2%.
- In another evaluation involving 4,000 software files queued for manual analysis, Project Ire flagged 90% of malicious files correctly, with only 4% false positives—though it managed to detect only about 25% of all actual malware.
While Microsoft acknowledged that the overall performance was moderate, the complexity of the test environment suggests that Project Ire holds strong potential for future deployment.
As a next step, the prototype will be integrated within Microsoft Defender under the name “Binary Analyzer,” supporting threat detection and software classification.
“Our long-term vision,” Microsoft stated, “is to scale both speed and accuracy so that the system can reliably classify files from any source—even on the first interaction. Ultimately, we aim to detect new types of malware directly in memory and at scale.”