Abstract
Real-time intrusion detection in heterogeneous Internet of Things (IoT) networks involves continuously monitoring diverse connected devices and communication protocols to promptly identify malicious activities or anomalies. Due to varied device capabilities, dynamic topologies, and resource constraints, these systems leverage lightweight AI-driven analytics, edge processing, and adaptive security models to ensure minimal latency. Effective detection enhances resilience, safeguards sensitive data, and maintains seamless IoT operations in mission-critical environments. We propose a stage-specific Recursive Sparse & Relevance-based Feature Selection (RS2FS) and a confidence-gated Support Vector Machine (SVM) → SVM → ANFIS cascade for real-time intrusion detection in heterogeneous IoT networks. RS2FS combines elastic-net screening, MI ∩ mRMR relevance, stability selection, and margin-aware recursive pruning to yield compact, non-redundant feature sets per cascade stage. The cascade accepts easy cases with calibrated SVMs and routes ambiguous, family-localized traffic to per-family ANFIS rules, providing interpretable subtype decisions. Evaluated on CICIoT2023 with scenario-held-out splits (5 × grouped CV), our model attains Macro-F1 = 0.962, Macro-AUC = 0.991, Balanced Accuracy = 0.963, MCC = 0.952, Brier = 0.038, and ECE = 0.012 at 6.3 ms CPU latency per window with a 7.8 MB footprint. Class-wise F1 shows consistent gains: Benign 0.991, DDoS 0.984, DoS 0.958, Recon 0.961, Web 0.937, Brute Force 0.951, Data Exfiltration 0.921, Botnet 0.942. Cascade behavior explains the speed-accuracy trade-off: 68% of windows are resolved at Stage-1 (F1 0.985, 3.38 ms), 22% at Stage-2 (F1 0.962, 7.73 ms), and only 10% escalate to ANFIS (F1 0.936, 23 ms). Against strong baselines, we improve Macro-F1 by + 1.9 pp over SVM-only (0.943), + 1.7 pp over XGBoost (0.945), and + 1.1 pp over a small 1D-CNN (0.951); bootstrap tests show significance (p < 0.01). Unlike existing IoT IDS approaches that rely on single-stage classifiers or one-time, global feature selection, our framework introduces two fundamental advances. First, the proposed RS2FS mechanism performs stage-specific, stability-aware, and margin-guided feature reduction, addressing the gaps of redundancy, volatility, and non-adaptiveness found in prior MI-, mRMR-, or L1-based selection methods. Second, the confidence-gated SVM → SVM → ANFIS cascade introduces a new routing paradigm where high-margin "easy" traffic is settled early, while only low-confidence, ambiguous windows are escalated to fuzzy reasoning overcoming the limitations of conventional hybrid SVM-ANFIS systems that apply the same classifier depth to all samples. Together with integrated open-set rejection and drift micro-adaptation, these contributions position the framework as a fundamentally new IDS architecture for heterogeneous IoT environments. The open-set guard achieves AUROC 0.981 and TPR@1%FPR 0.912 with 4.6% reject rate. Robustness holds under + 5% timestamp jitter (0.957), ± 10% packet-size noise (0.955), and 10% missing features (0.949). Interpretable ANFIS rules highlight payload-entropy, MQTT topic-depth, and DWT-energy interactions. Overall, the framework delivers accurate, calibrated, interpretable, and fast IDS suitable for deployment in modern IoT environments.