Toward Human-Aware Active Directory Defense with Fine-Tuned LLMs

Authors

  • Hung X. Nguyen Adelaide University
  • Tu Vu Adelaide University

DOI:

https://doi.org/10.1609/aaaiss.v9i1.42949

Abstract

Autonomous cyber defense agents increasingly need to query complex enterprise attack graphs under time pressure, yet today’s Active Directory (AD) tools still assume expert-authored Cypher queries. This paper studies natural-language-to-Cypher generation as a core tool-use action for human-aware AD defense agents operating over BloodHound-style graphs. We curate 346 executable English–Cypher pairs from practitioner queries, augment them to 2,768 samples via constrained paraphrasing, and fine-tune an open-weight Mixtral‑8×7B model using QLoRA. Across ten representative BloodHound-equivalency tasks on five synthetic AD graphs, fine-tuning raises parse success from 0.80 to 0.94 and correct-answer rate from 0.34 to 0.42. These gains should be interpreted as evidence that domain tuning can improve syntactic robustness in a controlled setting, rather than as evidence of production-ready semantic reliability or real-enterprise scalability. Error analysis reveals safety-critical semantic gaps in domain admin identification, unsupported-OS detection, and temporal constraints. We argue that, for cyber defense agents, schema prompting and fine-tuning alone are insufficient: safe autonomy over AD graphs requires execution-grounded correction, explicit domain guardrails, and interaction designs that calibrate human trust in LLM-generated queries.
2026 AAAI Summer Symposium Proceedings Cover

Downloads

Published

2026-06-23

How to Cite

Nguyen, H. X., & Vu, T. (2026). Toward Human-Aware Active Directory Defense with Fine-Tuned LLMs. Proceedings of the AAAI Symposium Series, 9(1), 332–335. https://doi.org/10.1609/aaaiss.v9i1.42949

Issue

Vol. 9 No. 1: Proceedings of the 2026 AAAI Summer Symposium Series

Section

Human-Aware AI Agents for the Cyber Battlefield: From Human Models to Autonomous Defense (Short Papers)