MSNM-Sensor: An Applied Network Monitoring Tool for Anomaly Detection in Complex Networks and Systems

Technology evolves quickly. Low-cost and ready-to-connect devices are designed to provide new services and applications. Smart grids or smart healthcare systems are some examples of these applications, all of which are in the context of smart cities. In this total-connectivity scenario, some security issues arise since the larger the number of connected devices is, the greater the surface attack dimension. In this way, new solutions for monitoring and detecting security events are needed to address new challenges brought about by this scenario, among others, the large number of devices to monitor, the large amount of data to manage and the real-time requirement to provide quick security event detection and, consequently, quick response to attacks. In this work, a practical and ready-to-use tool for monitoring and detecting security events in these environments is developed and introduced. The tool is based on the Multivariate Statistical Network Monitoring (MSNM) methodology for monitoring and anomaly detection and we call it MSNM-Sensor. Although it is in its early development stages, experimental results based on the detection of well-known attacks in hierarchical network systems prove the suitability of this tool for more complex scenarios, such as those found in smart cities or IoT ecosystems.


I. INTRODUCTION
Several technical reports forecast 30 billion IoT (Internet of Things) devices around the world by 2021 [1] and more than 3 billion M2M (Machine to Machine) connections by 2022 [2]. This scenario enables new services and applications for improving people's daily life as well as business opportunities. However, many challenges arise, with security being one of the most important.
Underlying systems and communications networks are continually being threatened by attackers, even more in these hiper-connected environments. For instance, it is worth mentioning two recent attacks, Dyn (2016) [3], [4] and VPNFilter (2018) [5], where thousands of Internet of Things (IoT) devices were compromised causing, on the one hand, a high economic impact and, on the other hand, and even worse, personal costs.
The way to monitor and control what is happening in these kinds of scenarios is a great challenge since the attack exposure surface grows almost exponentially with the number of devices interconnected. A more challenging issue is to manage the generated data gathered from different information sources such as applications, networking devices and communications. In this way, key aspects such as managing the volume, veracity or velocity of the data are crucial for achieving quick and efficient detection and reaction against security attacks [6]. Furthermore, these aspects may limit the practical application of the solutions, especially in the described scenario.
To address the previous issues, IDS (Intrusion Detection System) and SIEM (System Information and Event Management) tools are widely used by the specialized community on ICT (Information and Communication Technologies) security. IDS systems are commonly categorized as one of two types: 1) Network-based IDSs (NIDSs) and 2) Hostbased IDSs (HIDSs). NIDSs monitor network events such as traffic flows or firewall logs, while HIDSs behave similarly but consider host (endpoint)-related events, e.g., syslog, CPU load, etc. Along with this categorization, we can also discern between Anomaly-based IDSs (AIDSs) and Signature-based IDSs (SIDSs), depending on the detection technique applied. The first one (AIDS) tries to find anomalous patterns in the monitored information, while the second one (SIDS) intends to detect the presence of an attack by comparing the gathered information with previously defined attack signatures. Snort [7] and Zeek (Bro) [8] are some examples of practical and widely used IDS tools.
SIEM tools also include monitoring and detection functionalities but also provide services for event correlation and reporting capabilities, among others. Moreover, SIEM tools can also handle information gathered from IDS systems as a suitable data source for alerting security events. Splunk [9] and AlientVault [10] are some examples of practical and widely used SIEM tools.
However, neither IDSs nor SIEM tools can efficiently manage new monitoring and security event detection needs arising from new communication and computation paradigms. In this work the MSNM-Sensor (Multivariate Statistical Network Monitoring Sensor) tool is introduced to address the previous issues. It is based on the MSNM (Multivariate Statistical Network Monitoring) approach coined by Camacho et al. [11] and successfully tested afterwards in works [12], [13], [14]. Briefly, MSNM methodology comprises four main steps which are parsing, fusion, detection and diagnosis.
All the previous stages has successfully been integrated into the MSNM-Sensor having a useful tool for monitoring and anomaly detection in real-time. Among others characteristics, it is able to manage heterogeneous data sources in real time; reduces the monitoring network traffic without significant impact in the detection performance; is lightweight, scalable, versatile and dynamically adaptable to changes in the network environments; keeps privacy on communications; provides a friendly interactive dashboard and it is an open source project.
In order to demonstrate its suitability to be used in complex network environments, MSNM-Sensor has been tested to monitor hierarchical networks and systems for detecting wellknown attacks like DoS, port scanning and data exfiltration as can be seen in IV section.
The paper has been organized as follows. Section II describes the fundamentals of MSNM methodology, which supports the core functionality of the sensor. In Section III the components and operation modes of MSNM-Sensor are described. The detection capabilities of the sensor are validated in realistic network architectures through Section IV. Moreover, attacks such as DoS, data exfiltration or port scanning are successfully detected and located in the proposed network architecture. Finally, conclusions and further work are described in Section V.

II. FUNDAMENTALS OF MULTIVARIATE STATISTICAL NETWORK MONITORING
In this section we briefly introduce MSNM, which is the basis of the MSNM-Sensor tool. MSNM relies on PCA (Principal Component Analysis), a main tool for multivariate analysis. PCA has been established as a promising technology to perform network anomaly detection [15], [16], [17], [18]. Besides, the unsupervised nature of PCA allows to unveil anomalous behavior from unknown attacks which is a desired characteristic in those solutions working in real environments. Apart from its unsupervised nature, PCA is a white-box model. In comparison to the bulk of machine learning solutions, PCA models are explainable since trends or relationships in the features and observations of the data, can be easily connected.
MSNM has been demonstrated to be a promising methodology in network anomaly detection through several works [11], [12], [13], [14], [19] offering a high detection performance in this context. Four stages comprise the MSNM methodology. They are: a) parsing, b) fusion, c) detection and d) diagnosis. All of them are introduced in the following and integrated in the MSNM-Sensor tool as can be seen in next section.

A. Parsing
Information from communication networks usually comes in the shape of huge logs and traffic based files containing heterogeneous information. This makes it impossible to directly use this information as input of detection systems and learning models to identify different kinds of attacks. However, to overcome this issue, data sources are processed in order to build a more suitable input for automatic detectors or classifiers.
In this sense, the application of some feature engineering technique is proposed to build a well-structured input, suitable for monitoring and detection systems in general. Thus, the Feature as a Counter (FaaC) [6] technique is used as a functional solution to the problem of learning from large heterogeneous datasets. It consists in transforming different data sources (structured or not) of information with features into new variables. The new ones are just counters of the original ones computed in a given interval of time. For instance, it could be interesting to count the number of accesses to port 22 in a given time window interval, because a high number might mean a brute force SSH attack. The practical implementation of the FaaC approach, named FCParser, is available online for downloading at [20].

B. Fusion
In communication networks and systems it is expected to find more than one information data source to be monitored. Apart from the parsing functionality of FaaC, the FCParser tool is also able to fuse different data sources in a single set of features. For each different source of data, a set of features (counters) is defined. All the sources under monitoring are appended into a simple data stream to build the calibration matrix for the PCA model. For that, each source is sampled with equal sampling rate, then parsed and finally fused into an unique data stream. This procedure is periodically repeated at each sample time.
The combination of the parsing and the fusion procedures is specially suited for the subsequent multivariate analysis, resulting in high dimensional feature vectors that need to be analyzed with dimension reduction techniques, like PCA. Moreover, the diagnosis procedure benefits from the definition of a large number of features for a better description of the anomaly taking place. Finally, counters and their correlation are easy to interpret.

C. Detection
PCA is the core of MSNM. PCA identifies a number of linear combinations of the original variables in a data set X 1 , the so-called PCs (Principal Components), containing most of its relevant information (variability). This process involves a change in variables from the original ones in the X space to those in the PC subspace. If X contains M variables and N observations of each variable, PCA reduces its dimensions from M variables to A PCs by finding the A-dimensional latent subspace of the most variability captured.
PCA is described through the following equation: where P A is the M ×A loading matrix, T A is the N ×A score matrix and E A is the N ×M residual matrix. The maximum variance directions are obtained from the eigenvectors of X t · X, and they are ordered as the columns of P A by the explained variance. The rows of T A are the projections of the original N observations in the new latent subspace. E A is the matrix that contains the residual error, and it plays a key role in the anomaly detection, as shown later. The projection (score) onto the PCA subspace of a new observation is obtained as follows: where x new is a 1×M vector that represents a new object and t new is a 1×A vector that represents the projection of the latent subspace, while corresponds to the residuals. In order to detect anomalies in the monitored system Q-st [21] and D-st (also known as T 2 ) [22] statistics are commonly used. Q-st compresses the residuals in each observation, and D-st is computed from the scores. Their values for a specific observation can be computed through the following equations: where τ an represents the score of the n-th observation of the a-th PC, µ a and σ a stand for the mean and standard deviation for the scores of that PC in the calibration data, respectively, and e nm represents the residual value corresponding to the n-th observation of the m-th variable.
With both statistics (4) and (5) computed from the calibration data X, Upper Control Limits (UCLs), i.e. detection thresholds, can be established with a certain confidence level [11], [23]. Subsequently, new data are monitored using these limits, and an anomaly is identified when UCL limits are exceeded by new incoming observations.

D. Diagnosis
After detecting something anomalous in the system, it is necessary to find out where the event came from and the reason as well. Most often, the diagnosis procedure is manually carried out by a security analyst alerted by the system.
The diagnosis procedure could be a tricky and tedious task, due to the large amount of information to analyze. Feature contributions to a given anomaly can be a useful tool to identify where the anomalous behavior comes from. Contribution plots or other diagnosis methods like oMEDA (observationbased Missing-data method for Exploratory Data Analysis) [24] or Univariate Squared (US) [25] can be used to identify the feature contributions. Thus, anomalies are detected in the D-st and/or Q-st statistics, and then the diagnosis is performed with e.g., oMEDA. For instance, The output of oMEDA is a 1×M vector where each element contains the contribution of the corresponding feature to the anomaly under study. Those contributions with large magnitude, either positive or negative, are considered to be relevant.

III. MULTIVARIATE STATISTICAL NETWORK MONITORING SENSOR: MSNM-SENSOR
In the following section, MSNM-Sensor modules are introduced and thoroughly explained. In addition to others, like those in charge of inter-sensors communications or information sources management, the most important ones corresponds to the four steps found in MSNM methodology. Apart from that, the principal sensor operations are also described through illustrative examples.

A. Modules
The involved MSNM-Sensor functional modules, depicted in Figure 1, are described as follows: 1) IS (Information Source): The IS module handles the data coming from the information sources. Two types of data sources, according to their location, are considered: • Local (LIS). The information gathered from these data sources is generated by the device where the MSNM-Sensor is deployed. For instance, local information sources can be obtained from firewall log files, NetFlow traffic flows and host-based information (e.g., syslog in Linux-based systems), among others. LIS data is processed by the PARSING & FUSION modules. • Remote (RIS). The incoming data from other MSNM-Sensors are handled as a remote information source.
Most of the data from other MSNM-Sensors will be the computed values of the monitoring statistics Q n,mst and D n,m -st, allowing anomaly detection in complex and hierarchical systems. However, any other information could be obtained from a remote sensor, e.g., those requested by a security analyst for an anomaly diagnosis.

2) PARSING & FUSION :
As mentioned in Section II parsing and fusion modules do, on one hand, a transformation of LIS data sources (structures or not) into a new structured form where new features are counters of the original. On the other hand, in case of considering several LIS data sources, all of them are fused by appending one after another. As a result, we have a homogeneous data stream of quantitative values to be afterwards used in the DETECTION module for anomaly detection. Both processes are carried out by the FCParser [20] which implements the FaaC approach.
3) DETECTION: This module represents the sensor functional core for anomaly detection. It provides multivariate statistical-based methods and algorithms to compute the monitoring statistics Q n,m -st and D n,m -st in real time. This module enables the detection of anomalies in the monitored system when statistics computed from a new observation exceed certain control limits. Two control limits are calculated: UCLq and UCLd for Q n,m -st and D n,m -st respectively. Detailed information on monitoring statistics and UCL limits construction can be found in [11].
The DETECTION module supports three different functions: • Preprocessing. The DETECTION module performs data preprocessing for new observations and learning models. The standard normalization is used by default, but additional methods are also available and ready to use. • Modeling. This operation is in charge of the sensor calibration from a set of observations that are, ideally, under NOCs (Normal Operation Conditions), i.e., without known anomalies. Currently, the PCA model is used, but other machine-learning-based techniques can be easily integrated [26][27]. • Monitoring. This operation computes the above mentioned statistics for each incoming observation. In addition to the precomputed control limits, the monitoring operation is able to detect anomalous behavior when these limits are exceeded. Because of the dynamic nature of information coming from networks and systems, learning models should periodically be re-calibrated or re-trained in order to adapt it to normal changes in the environment that avoids high false positive rates. Usually, such changes are due to the own cyclostationary nature of the information from network communications and systems [28] which are different in volume and variety depending on the hour, day, week, etc. These behavioral patterns are periodically repeated. The EWMA (Exponentially Weighted Moving Average) approach is used to dynamically calibrate the sensors every 60 minutes [29]. Each sample rate, new UCL limits are also computed.

4) DIAGNOSIS:
The diagnosis procedure takes place when an anomaly is detected on the monitored system. It is necessary to find out where the event came from and the reason as well, to afterwards deploy the adequate response measures to counteract against the attack. How to manage this problem is the duty of the DIAGNOSIS module.
The DIAGNOSIS module relies on the use of statistical multivariate techniques to determine the source of the anomaly. Currently, the oMEDA (observation-based Missingdata method for Exploratory Data Analysis) [24] method is implemented, but other methods can be included, for instance, the contribution plots of the diagnosis method proposed in [25].
Although the DIAGNOSIS module solves the anomaly diagnostic by itself, it is done locally, i.e., in the device where the sensor was deployed. In addition, defining the device and data source(s) involved in an anomalous behavior in the whole system under monitoring is not a trivial task. For this reason, we create the DRT (Diagnosis Routing Table), which acts similarly to the well-known routing IP tables but adds together the information of local and remote sources. The diagnosis flow and routing procedure are explained in detail in Sections III-B and III-C.

5) COM (COMmunications):
The COM module allows each MSNM-Sensor to exchange information. In this way, the COM module handles the exchange of specific messages. The system supports (but is not limited to) two types of messages: data and command. The messages mainly differ in the payload and type. For instance, a data message can include any information required in sensor operations, e.g., the monitoring statistics. On the other hand, command messages are devised to control these processes.
Depicted in Figure 1, two information flows are clearly differentiated: monitoring and diagnosis. It is worth mentioning that only the first one (monitoring) is currently implemented, while the second one is an ongoing work (see the project in [30]). However, we decided to mention and describe both of them because they are complementary. In this way, monitoring information flow exchanges data messages containing the computed statistics Q n,m and D n,m , while the diagnosis flow controls the entire diagnostic procedure.
In this early stage, there is no specific routing algorithm between sensors. Instead, each sensor must be manually configured to send and receive data to and from others. A self-deployed sensor process will be added in future releases.
Both flows and the exchanged messages are described in Sections III-B and III-C. 6) MANAGER: As depicted in Figure 1, all modules work together following an execution pipeline and sharing the necessary information. The module in charge of orchestrating and managing the others is the MANAGER.
As mentioned above, there are two different information flows: monitoring and diagnosis. The first one (monitoring) involves four main modules (IS, PARSING, FUSION and DETECTION) that should be invoked sequentially, because the output of each module is the input of the next one. However, the second flow (diagnosis) involves the DIAG-NOSIS module, which is invoked if a specific message is received. Finally, MANAGER handles the orchestration of which MSNM-Sensor module should run and when.
A highly detailed description of the module interactions in each sensor is given in Section III-B.

B. Operations
Thus far, the main functional MSNM-Sensor modules have been described. However, high-level operations, including several modules, are devised in accordance with the principal MSNM-Sensor functionalities: monitoring and diagnosis. The diagnosis process is still an ongoing work; however, we decide to briefly describe it for completeness.
1) Monitoring Operation: To be aware of what is happening in systems or networks, it is important to detect anomalous behaviors (deliberate or not). However, this is not a trivial task, since a previous work must be done to select which element and information should be supervised. In this manner, the monitoring flow and the involved modules offer a versatile and scalable tool allowing the user to freely select data sources and variables to be monitored. Figure 2 shows a detailed view of module interactions and the exchanged information. In the figure, one can see a hypothetical local data source LIS v with M v variables to monitor a total of N v gathered observations, the latter being split into k batches (b v1 , b v2 , . . . , b vk ). Each batch has j = M v variables and i different numbers of observations each. As a result, we are able to 1) process less information, reducing the computation time, which is a key point for real-time applications, and 2) adapt the monitoring time step granularity, ...  sometimes hardly limited by the monitored data source or the anomaly to be detected. As explained in Section IV, 60 seconds is enough to monitor NetFlow-based data sources in the detection of DoS attacks, for example.
For each b vk batch of observations, a new one is generated by parsing and fusing the original information (raw). This task is the duty of the PARSING & FUSION modules (see Section III-A2). At the time of writing this article, the implemented module was the FCParser [20] which implements the FaaC approach, a new feature engineering methodology that transforms the original information variable space into a new one where the new variables (z) are counters (C v ) of the original ones. This smart transformation makes the system highly versatile and scalable, allowing the user to define a large number of different new variables from a limited original set. For instance, counting the number of different destination ports in a certain period of time could be relevant for port scanning or port knocking attacks.
Although just one data source has been considered so far, additional local (LIS) or remote (RIS) data sources can also be included if needed. Figure 2 shows the procedure to add new data sources. In this case (but not limited to it), there are three data sources involved: two local (LIS v and LIS l ) and one remote (RIS r ). At each monitoring step, a new fused observation is created. In this way, the extended space will have e variables, with e = z + p + 2, where z is the number of variables (counters) from a batch k of source LIS v ; p is the number of variables (counters) from the same batch of source LIS l ; and RIS r has two variables as the number of statistics generated by the remote sensor. This observation is the input of the DETECTION module which is in charge of computing the monitoring statistics (Q (n,m)k , D (n,m)k ). At this point, the system can detect anomalous behaviors when the control limits are exceeded. In addition, if this sensor is not the root in the hierarchy, the generated statistics will also be sent to the corresponding remote sensor for hierarchical iptables.log (LISv) oMEDA observation Fig. 3. Diagnosis operation steps to determine the origin of an anomaly in the system. In this case, the anomaly comes from a variable (C 3 vk) with a high contribution in the observation under inspection. This variable corresponds with a local data source LISv, which is a firewall log.
monitoring and anomaly detection. 2) Diagnosis Operation: As aforementioned, after detecting an anomaly in the system, the diagnosis procedure should be launched to determine its origin. Figure 3 depicts the operation steps launched to determine which IS is involved in the anomaly. For instance, we suppose that a security event arose from the LIS v local data source that in turn represents an iptables firewall.
Once the corresponding observation to be inspected has been retrieved from the sensor, the oMEDA algorithm is launched. This algorithm outputs the contribution of each variable, where those variables with high values (either positive or negative) must be inspected in detail as they are relevant. In this case, the variable with a high positive value is C 3 vk (the one in red in Figure 3), which belongs to the LIS v data source according to the DRT. The DRT structure and role in this operation are described in the next section.
Together, the timestamp and the observation under investigation allow the sensor to extract the corresponding piece of raw information to be afterwards analyzed by the security analyst.

C. Working All Together: A Hierarchical Approach
As aforementioned, a single MSNM-Sensor instance is able to monitor and detect anomalous behaviors from a wide range of heterogeneous local and remote data sources. However, the really novel idea behind the use of Q (n,m) and D (n,m) statistics is their capability of maintaining the monitoring and anomaly detection performance when they are included in the hierarchy of complex network environments. This useful characteristic has been demonstrated in work [31].
Although the tool will be tested in Section IV, in a realistic network scenario, an example of several MSNM-Sensors cooperating within a hypothetical and common network deployment is described as follows for clarification. Figure 4 shows a simple network scenario where several MSNM-Sensors are deployed at hosts and network devices. We can discern in the figure two involved information flows: the monitoring and diagnosis flows. The former (black dashed lines) transports pairs of monitoring statistics ([Q (n,m) , D (n,m) ]) coming from lower to higher levels in the hierarchy. In this synthetic example, sensors S 1,3 , · · · , S n,3 are deployed at hosts in the deepest architecture level, sending the generated statistics [Q (1,3) , D (1,3) ], · · · , [Q (n, 3) , D (n, 3) ] to the next closest sensor in the hierarchy. Indeed, they act as remote sources of S 1,2 . Now, this sensor aggregates and processes it, giving the [Q (1,2) , D (1,2) ] values. Finally, the root sensor (S 1,1 ) gathers the statistical information from its immediately lower levels, processes it and generates the last statistics to be observed for anomaly detection. This final monitoring task is commonly carried out by a security analyst, who determines the presence of an anomaly when certain control limits are exceeded by the statistics [11].
Once the anomaly is detected, a deeper inspection should be done to determine, for example, where the anomaly comes from and the its reason. This is the diagnosis procedure, which is represented in Figure 4 with solid green and dashed brown lines, that is, the command and response involved actions, respectively. In this example, the anomaly comes from S 1,3 , which is in charge of monitoring firewall traffic logs. First, a command message [C m ] to find the anomaly origin is sent. How this message should be routed across the multilevel scenario is defined in the DRT, which maps RIS and LIS data sources known by each MSNM-Sensor and the observation timestamps. To determine which data source motivates the anomaly at a certain timestamp, a diagnosis algorithm is invoked. As mentioned before, oMEDA algorithm is currently used, though some other methods could easily be integrated. This procedure is repeated until the data source origin is found. Shortly thereafter, the involved piece of information (raw) falling into the observation period of time is returned to the root sensor to be analyzed in detail. A new message called response [R m ] allows this operation.

IV. PRACTICAL APPLICATION OF MSNM-SENSOR FOR MONITORING AND ATTACK DETECTION IN COMPLEX NETWORK ENVIRONMENTS A. Experimental Environment
To evaluate the performance of IDS-based systems, readyto-use datasets are widely used. Consequently, choosing one or another dataset is a very relevant decision with considerable consequences, not only in obtaining results but also in establishing the validity of the conclusions the authors claim. In this way, Maciá-Fernández et al. [28] build a recent and real network dataset that copes with the main drawbacks found in the most commonly used ones in the specialized literature. Nevertheless, not all of them are valid for use in certain application scenarios, because there are differences between the environment where the dataset was built and the one where the IDS solution will be deployed. In this manner, ready-to-use solutions for real-time anomaly detection are recommended. These types of approaches could eliminate the need to use previously gathered datasets, which are, on the other hand, very difficult to build.
To validate the monitoring and anomaly detection performance of the MSNM-Sensor in complex systems, we spread several sensors over a controlled scenario with virtual machines running in a cluster. This scenario has been previously devised to theoretically prove the hypothesis of the application of MSNM for hierarchical systems [31]. The key characteristics required are introduced in the following section. Interested readers can obtain more details in the mentioned reference.
The complete scenario with the different machines is depicted in Figure 5. This environment simulates a typical network architecture of a corporation so we can observe several subnetworks, network devices and end-devices. For instance, a DMZ is located in the inner network, separated from the outside world (Internet) with a BR (Border Router) and departmental networks in turn delimited by the corresponding routers (R1, R2, and R3).
In this scenario, we have two types of network traffic: normal and malicious. Normal traffic comprises all HTTP communications from all departmental hosts requesting HTTP resources allocated at the several web servers placed in the Internet and DMZ. As shown in Figure 5, the BR is aware of all the incoming traffic from and outgoing traffic to the Internet. On the other hand, Rx routers, with x = 1, 2, 3, observe the corresponding portion of the previous HTTP traffic, which is generated by the hosts in their networks. Additionally, departmental hosts request HTTP resources to the web server in the DMZ.
On the other hand, the malicious traffic is generated from different locations in the predefined architecture, simulating very well-known and state-of-the-art attacks. These are 1) DoS (high and low rate); 2) port scanning, a relevant step in the recognition phase in a penetration testing procedure; and 3) data exfiltration for privacy violation purposes.
We run our scenario during a period of 25 hours. In the first 23.5 hours, only normal traffic is generated. During the last hour and a half, the attacks previously described are generated sequentially and do not overlap in time, with 5 minutes given for each one: high-rate DoS, low-rate DoS, scanning attack and data exfiltration.
The different routers in the network (R1, R2, R3 and BR) are equipped with NetFlow inspectors that generate NetFlow v5 information. These data are afterwards consumed in real time by the corresponding MSNM-Sensors, which are deployed in the mentioned network devices. These sensors are S 1,2 , S 2,2 , S 2,3 and S 1,1 , which are represented by orange-colored boxes in Figure 5. All of them consider only a local data source: the generated information of the corresponding NetFlow inspectors. However, only S 1,1 is in charge of aggregating the monitoring information in the form of statistics coming from the sensors in the network lower level. Every minute, a new observation is gathered by each sensor, meaning that two statistics are generated every minute.

B. Experimental Results
As we stated in previous sections, a key characteristic of the MSNM-Sensor is its applicability in real and complex environments monitoring a large variety of devices and communications. The MSNM-Sensor system is able to detect abnormal behaviors in the whole system considering only a couple of monitoring statistics. 2 Figure 6 shows the Q-st (blue inverted triangles) and D-st (orange filled circles) statistics evolution with time obtained from the BR sensor. These kinds of graphics are the so-called monitoring plots. In addition, upper control limits are also shown for the Q-st (UCLq), represented by a green dashed line, and for the D-st (UCLd), represented by a red continuous line. Subfigure 6(a) shows the statistics values for the total duration of the experiment, while Subfigure 6(b) shows the last 1.5 hours, when the attacks were launched. In the first subfigure, we can discern between three different intervals. In the first one, we experience a high false positive rate, which is caused by the initial random calibration of the sensor. Each sensor uses the EWMA (Exponentially Weighted Moving Average) approach to dynamically calibrate the sensors every  undoubtedly, exceeded indicating that something anomalous is occurring.
Apart from the previous global results, it is worth paying special attention to the attack period. In this way, Subfigure 6(b) shows clear deviations of the statistics values when the attacks are taking place. From DoS (high and low rate) to data exfiltration, the MSNM-Sensor sensor approach is able to detect anomalous behaviors coming from different parts of the whole systems by taking into account only two simple numerical values. Moreover, we can distinguish where the anomaly is coming from by inspecting similar monitoring graphics, but in this case, they are computed from each of the involved routers. This process can be viewed in Figures 7, 8  and 9 for the sensors deployed at R1, R2 and R3, respectively. For instance, from the inspection of the R3 monitoring graph, we can conclude that the attack originated somewhere in the R3 network, similarly for R1 and R2 for the port scanning and data exfiltration attacks, respectively. Additionally, we can see the dynamic adaptation on the sensor to the changes in the environment. It is more evident in the R3 monitoring graphic (see Figure 9), where the UCLq limit adapts its value to cover new trends in Q-st.
Although the previous figures are included in the text to enhance the reading, the MSNM-Sensor application comes with a specific and interactive dashboard. Thanks to this dashboard, the security analyst or the application operator can, in real time, access the previous information and the logical connections of the sensors. A snapshot of the monitoring main section of the tool is shown in Figure 10. The upper part shows the logical connections created among the sensors. The operator can see the direction of the monitoring flow. In this specific scenario, it is clearly shown how the sensors in routers R1, R2 and R3 are configured to send their monitoring information to the BR. In addition, the monitoring graphs will appear in the bottom part by clicking on a specific sensor. Among other actions, the operator can interact with these graphs to pause/play the updating procedure for a better inspection. The dashboard is needed for whatever monitoring system that allows the operator to reduce the response/reaction time when an attack takes place.

V. CONCLUSIONS & FUTURE WORK
This work introduces the MSNM-Sensor (Multivariate Statistical Network Monitoring Sensor), a practical and ready-touse tool for monitoring and detecting security events in complex systems and network environments. The MSNM-S relies on the implementation of the MSNM methodology which allows it address new technological challenges arising from all-connected scenarios, e.g., smart cities and IoT ecosystems, where a large number of devices share information.
Inherited from the MNSM methodology, MSNM-Sensor reduces and efficiently handles the monitoring information, maintaining its detection performance. On the other hand, existing IDS or SIEM solutions consider raw data, thus adding extra monitoring traffic overhead. Moreover, MSNM-Sensor inherently adds privacy in monitoring communications since no sensible or raw data is sent to the central station just the monitoring statistics instead.
The MSNM-Sensor uses lightweight algebraic and statistics operations that allow it to be embedded in less powerful devices, e.g., wearable devices, environmental sensors and IoT devices in general.
Last but not least, the MSNM-Sensor operates in real time, and it is adaptable to changes in the environment where it is deployed without any previous training phases.
Although the MSNM-Sensor has been tested successfully with promising results in hierarchical network systems and architectures to monitor and detect well-known network attacks, the MSNM-Sensor capabilities should be tested in real and complex scenarios, e.g., IoT ecosystems or those found in smart cities. Finally, the anomaly diagnosis operation is still in development; thus, we will focus our future work on this topic.