Abstract: With the deployment of billions of Internet of Things IoT devices, more and more cyber attacks involving or even targeting such devices are rife. However, some existing studies focus only on dichotomous testing as well as do not consider the latest IoT datasets and cannot adapt to the new requirements, so a two-stage efficient and accurate intrusion detection system is proposed. The system combined deep metric learning and integrated learning and operated in a two- stage fog architecture, where an anomaly detection model based on improved triplet networks was deployed in the fog nodes to perform binary classification of captured traffic, while an attack identification module consisting of decision trees, gradient boosting trees and random forest classifiers was deployed in the cloud platform to analyze activities identified as intrusions in the first tier so that administrators could make countermeasures accordingly. Using the latest IOT datasets IOT-23 and UNSW-NB15 for evaluation, the experimental results show that the model in this paper outperforms some advanced models and can effectively solve the intrusion detection problem in fog environments.