Beyond Single-Stage IDS: A Drift-Aware RS²FS Pipeline with Confidence Gating and Mahalanobis Open-Set Defense

Real-time intrusion detection in heterogeneous Internet of Things (IoT) networks involves continuously monitoring diverse connected devices and communication protocols to promptly identify malicious activities or anomalies. Due to varied device capabilities, dynamic topologies, and resource constraints, these systems leverage lightweight AI-driven analytics, edge processing, and adaptive security models to ensure minimal latency. Effective detection enhances resilience, safeguards sensitive data, and maintains seamless IoT operations in mission-critical environments. We propose a stage-specific Recursive Sparse & Relevance-based Feature Selection (RS²FS) and a confidence-gated Support Vector Machine (SVM)→SVM→ANFIS cascade for real-time intrusion detection in heterogeneous IoT networks. RS²FS combines elastic-net screening, MI∩mRMR relevance, stability selection, and margin-aware recursive pruning to yield compact, non-redundant feature sets per cascade stage. The cascade accepts easy cases with calibrated SVMs and routes ambiguous, family-localized traffic to per-family ANFIS rules, providing interpretable subtype decisions. Evaluated on CICIoT2023 with scenario-held-out splits (5× grouped CV), our model attains Macro-F1 = 0.962, Macro-AUC = 0.991, Balanced Accuracy = 0.963, MCC = 0.952, Brier = 0.038, and ECE = 0.012 at 6.3 ms CPU latency per window with a 7.8 MB footprint. Class-wise F1 shows consistent gains: Benign 0.991, DDoS 0.984, DoS 0.958, Recon 0.961, Web 0.937, Brute Force 0.951, Data Exfiltration 0.921, Botnet 0.942. Cascade behavior explains the speed–accuracy trade-off: 68% of windows are resolved at Stage-1 (F1 0.985, 3.38 ms), 22% at Stage-2 (F1 0.962, 7.73 ms), and only 10% escalate to ANFIS (F1 0.936, 23 ms). Against strong baselines, we improve Macro-F1 by + 1.9 pp over SVM-only (0.943), + 1.7 pp over XGBoost (0.945), and + 1.1 pp over a small 1D-CNN (0.951); bootstrap tests show significance (p < 0.01). The open-set guard achieves AUROC 0.981 and TPR@1%FPR 0.912 with 4.6% reject rate. Robustness holds under + 5% timestamp jitter (0.957), ± 10% packet-size noise (0.955), and 10% missing features (0.949). Interpretable ANFIS rules highlight payload-entropy, MQTT topic-depth, and DWT-energy interactions. Overall, the framework delivers accurate, calibrated, interpretable, and fast IDS suitable for deployment in modern IoT environments.