There has been a large mining farm pulsing Masari with a period of almost exactly 24h, with a minimum amplitude at midnight EST.
Guess-work: This is might be an office network mining overnight somewhere in Asia. Things like profitability seldom correspond to any exact period, so I doubt this farm is switching to a more profitable coin. Masari's large mining pools use PPLNS, so this isn't a pool hopper. Since difficulty adjusts quickly based off the median of the last 100 blocks, this probably isn't a miner snatching blocks quickly before the difficutly can adjust. Even though these pulses do amount to more than 51% of the network, and it's impossible to tell if a 51% attack has occured without someone continuously monitoring the network, I've noticed that centralized mining is common for altcoins and there have been no reported thefts from exchanges.
A nonce is a piece of information in each block.
Miner's create new blocks by running a cryptographic hash function over: the previous block's hash, hashes from unconfirmed transactions on the network (you can see these unconfirmed txes live here), a hash for the miner's reward, and a few other pieces of information.
Together with this input information, an arbitrary number called a nonce is thrown in to increase mining difficulty. Multiple nonces may satisfy the hash function, but since they are scattered from 0 to ~4.3 billion, any one of them takes a while to find.
Although valid nonces are evenly distributed over the sample space, mining software does not have to search the sample space randomly. Because of this, we should see patterns in nonce values from block to block which are caused by the search algorithms used in mining software. When these patterns change, it is an indication of changes to popular mining software.
This is how we can potentially detect the presence of ASICs from nonce values.