A Lightweight Two-Stage Intrusion Detection Framework Optimized for Edge-Based IoT Environments
Chung-Wei Kuo1,2,*, Cheng-Xuan Wu1
1 Department of Information Engineering and Computer Science, Feng Chia University, Taichung, Taiwan
2 Master’s Program of Information and Communication Security, Feng Chia University, Taichung, Taiwan
* Corresponding Author: Chung-Wei Kuo. Email: 
(This article belongs to the Special Issue: Secure and Intelligent Intrusion Detection for IoT and Cloud-Integrated Environments)
Computers, Materials & Continua https://doi.org/10.32604/cmc.2026.076767
Received 26 November 2025; Accepted 02 February 2026; Published online 21 February 2026
Abstract
The rapid proliferation of the Internet of Things (IoT) has not only reshaped the digital ecosystem but also significantly widened the attack surface, leading to a surge in network traffic and diverse security threats. Deploying effective defense mechanisms in such environments is challenging, as conventional Intrusion Detection Systems (IDS) often struggle to balance computational efficiency with the reliable detection of low-frequency, high-impact threats, particularly within the tight resource constraints of edge devices. To address these limitations, we propose a lightweight, high-efficiency IDS framework specifically optimized for edge-based IoT applications, incorporating Mutual Information (MI)-based feature selection to reduce input dimensionality without compromising detection capabilities. The system employs a hierarchical two-stage classification strategy: Stage 1 utilizes a fast Decision Tree (DT) model to rapidly isolate and filter dominant Distributed Denial-of-Service (DDoS) traffic, thereby substantially reducing the computational burden for subsequent analysis. Subsequently, Stage 2 applies a soft-voting ensemble comprising Random Forest (RF), eXtreme Gradient Boosting (XGBoost), and Adaptive Boosting (AdaBoost) to accurately classify remaining non-DDoS traffic and address class imbalance. Extensive experiments on the large-scale CICIoT2023 dataset demonstrate that the proposed framework achieves a classification accuracy of 99.67%, while simultaneously reducing training and testing time by nearly 64.5% compared to traditional single-stage approaches. The model’s robustness and generalization capabilities were further validated on the CICIoMT2024 and Edge-IIoTset datasets, representing medical and industrial scenarios, respectively, where it achieved an accuracy of over 94.7%. Empirical validation on a Cortex-A53-based SCADA testbed confirms the system’s real-time practicality, with a complete training process executed in just 249 seconds. With an average inference latency of approximately 26.66 μs per flow and modest resource consumption, the framework satisfies strict industrial timing constraints, supporting its deployment for scalable, resource-aware threat detection in distributed IoT and edge-fog environments.
Keywords
Internet of Things; intrusion detection systems; edge computing; soft voting; supervisory control and data acquisition
Open Access
Login
Register
Submit a Paper
Propose a Special lssue
Download PDF
Downloads
Citation Tools
