Stable Agentic Control: Tool-Mediated LLM Architecture for Autonomous Cyber Defense

稳定代理控制：用于自主网络防御的工具中介型大模型架构

Abstract: Agentic systems involved in high-stake decision-making under adversarial pressure need formal guarantees not offered by existing approaches. Motivated by the operational needs of security operations centers (SOCs) that must configure endpoint detection and response (EDR) policies under adversarial pressure, we present a tool-mediated architecture: LLM agents use deterministic tools (Stackelberg best-response, Bayesian observer updates, attack-graph primitives) and select from finite action catalogs enforced at the tool-output interface.

摘要： 在对抗压力下参与高风险决策的代理系统，需要现有方法所无法提供的形式化保证。受安全运营中心（SOC）在对抗压力下配置端点检测与响应（EDR）策略的运营需求驱动，我们提出了一种工具中介型架构：大模型（LLM）代理使用确定性工具（如斯塔克伯格最优响应、贝叶斯观察者更新、攻击图原语），并从在工具输出接口处强制执行的有限动作目录中进行选择。

A composite Lyapunov function machine-checked in Lean 4 with zero sorry certifies controllability, observability from asymmetric sensor data, and Input-to-State Stability (ISS) robustness under intelligent adversarial disturbance, with two corollaries extending the certificate to any controller or adversary from the catalogs.

一个在 Lean 4 中经过机器验证且无“sorry”（未证明部分）的复合李雅普诺夫函数，证明了其可控性、基于非对称传感器数据的可观测性，以及在智能对抗干扰下的输入到状态稳定性（ISS）鲁棒性；此外，两个推论将该证明扩展到了目录中的任何控制器或对手。

On 282 real enterprise attack graphs, the claims hold with margin. On paired offensive/defensive telemetry, a tool-mediated Claude Sonnet 4 controller reduces the attacker’s expected payoff (game value) by 59% relative to a deterministic greedy baseline, with zero variance across 40 runs at four temperatures.

在 282 个真实企业攻击图上，上述结论均以显著优势成立。在成对的攻防遥测数据中，使用工具中介的 Claude Sonnet 4 控制器，相较于确定性贪婪基准，将攻击者的预期收益（博弈值）降低了 59%，且在四种温度设置下的 40 次运行中表现出零方差。

A Claude Haiku 4.5 controller converges to suboptimal game values but stays catalog-bounded over an additional 40 runs, demonstrating that architectural stability is not dependent on the controller capability. The LLM agent’s non-determinism furthers creative exploration of strategies, while the tool-mediated architecture ensures system stability.

Claude Haiku 4.5 控制器虽然收敛于次优博弈值，但在额外的 40 次运行中始终保持在目录约束范围内，这证明了架构的稳定性并不依赖于控制器的能力。大模型代理的非确定性促进了策略的创造性探索，而工具中介架构则确保了系统的稳定性。