AegisGuard: A Multi-Stage Hybrid Intrusion Detection System with Optimized Feature Selection for Industrial IoT Security

The rapid expansion of the Industrial Internet of Things (IIoT) within smart grid infrastructures has increased the risk of sophisticated cyberattacks, where severe class imbalance and stringent real-time requirements continue to hinder the effectiveness of conventional intrusion detection systems (IDSs). Existing approaches often achieve high accuracy on specific datasets but lack generalizability, interpretability, and stability when deployed across heterogeneous IIoT environments. This paper introduces AegisGuard, a hybrid intrusion detection framework that integrates an adaptive four-stage sampling process with a calibrated ensemble learning strategy. The sampling module dynamically combines SMOTE, SMOTE-ENN, ADASYN, and controlled under sampling to mitigate the extreme imbalance between benign and malicious traffic. A quantum-inspired feature selection mechanism then fuses statistical, informational, and model-based significance measures through a trust-aware weighting scheme to retain only the most discriminative attributes. The optimized ensemble, comprising Random Forest, Extra Trees, LightGBM, XGBoost, and CatBoost, undergoes Optuna-based hyperparameter tuning and post-training probability calibration to minimize false alarms while preserving accuracy. Experimental evaluation on four benchmark datasets demonstrates the robustness and scalability of AegisGuard. On the CIC-IoT 2023 dataset, it achieves 99.6% accuracy and a false alarm rate of 0.31%, while maintaining comparable performance on TON-IoT (98.3%), UNSW-NB15 (98.4%), and Bot-IoT (99.4%). The proposed framework reduces feature dimensionality by 54% and memory usage by 65%, enabling near real-time inference (0.42 s per sample) suitable for operational IIoT environments.