MSNM

We call multivariate statistical network monitoring (MSNM) the approach that follows the MSPC theory for anomaly detection in communication networks, like the Internet. MSNM is very useful for cybersecurity and computer network management. It also has specificities not found in MSPC.

The main challenge in MSNM, as well as also the main difference between MSPC and MSNM, is the data preparation. In MSPC, monitored variables, like temperatures, pressures, and concentrations, are directly measured from the process. Thus, none or very little preparation is needed. Observations are typically ordered in time, for regular or variable sampling rates, and again with little or none preparation.

In MSNM, we have the opposite situation. In a network, most of the information comes in the form of logs or packets of data, unstructured information that cannot be directly used in a MSNM set-up. Rather, logs and packets need to be translated into quantitative variables, and there is a bunch of possibilities to do so. This is typically referred to as data parsing or feature engineering. The parsing is in charge of converting textual information into quantitative variables of value for anomaly detection. There is no systematic way to do this, which opens very interesting research directions.

On the other hand, the definition of the observations in MSNM is not straightforward. Although observations are typically ordered in time, it may be interesting to define the observations in terms of relevant entities in a network, such as devices in the network, like in the Figure.

The flexibility in the definition of both variables and observations in MSNM, makes it more challenging but also more powerful than traditional MSPC.