Fei Tony Liu,Kai Ming Ting,Zhi-Hua Zhou

DOI: https://doi.org/10.1145/2133360.2133363

2012-01-01

Abstract:Anomalies are data points that are few and different. As a result of these properties, we show that, anomalies are susceptible to a mechanism called isolation. This article proposes a method called Isolation Forest (iForest), which detects anomalies purely based on the concept of isolation without employing any distance or density measure---fundamentally different from all existing methods. As a result, iForest is able to exploit subsampling (i) to achieve a low linear time-complexity and a small memory-requirement and (ii) to deal with the effects of swamping and masking effectively. Our empirical evaluation shows that iForest outperforms ORCA, one-class SVM, LOF and Random Forests in terms of AUC, processing time, and it is robust against masking and swamping effects. iForest also works well in high dimensional problems containing a large number of irrelevant attributes, and when anomalies are not available in training sample.

Rithwik Gupta,Daniel Muthukrishna,Michelle Lochner

2024-03-22

Abstract:Automating real-time anomaly detection is essential for identifying rare transients in the era of large-scale astronomical surveys. Modern survey telescopes are generating tens of thousands of alerts per night, and future telescopes, such as the Vera C. Rubin Observatory, are projected to increase this number dramatically. Currently, most anomaly detection algorithms for astronomical transients rely either on hand-crafted features extracted from light curves or on features generated through unsupervised representation learning, which are then coupled with standard machine learning anomaly detection algorithms. In this work, we introduce an alternative approach to detecting anomalies: using the penultimate layer of a neural network classifier as the latent space for anomaly detection. We then propose a novel method, named Multi-Class Isolation Forests (MCIF), which trains separate isolation forests for each class to derive an anomaly score for a light curve from the latent space representation given by the classifier. This approach significantly outperforms a standard isolation forest. We also use a simpler input method for real-time transient classifiers which circumvents the need for interpolation in light curves and helps the neural network model inter-passband relationships and handle irregular sampling. Our anomaly detection pipeline identifies rare classes including kilonovae, pair-instability supernovae, and intermediate luminosity transients shortly after trigger on simulated Zwicky Transient Facility light curves. Using a sample of our simulations that matched the population of anomalies expected in nature (54 anomalies and 12,040 common transients), our method was able to discover $41\pm3$ anomalies (~75% recall) after following up the top 2000 (~15%) ranked transients. Our novel method shows that classifiers can be effectively repurposed for real-time anomaly detection.

Instrumentation and Methods for Astrophysics,High Energy Astrophysical Phenomena,Machine Learning

Ziming Zhao,Zhaoxuan Li,Xiaofei Xie,Jiongchi Yu,Fan Zhang,Rui Zhang,Binbin Chen,Xiangyang Luo,Ming Hu,Wenrui Ma

DOI: https://doi.org/10.1109/tnet.2024.3413789

2024-01-01

Abstract:Anomaly-based network intrusion detection systems (NIDSs) are essential for ensuring cybersecurity. However, the security communities realize some limitations when they put most existing proposals into practice. The challenges are mainly concerned with fine-grained unknown attack detection and ever-changing legitimate traffic adaptation. To tackle these problem, we present three key design norms. The core idea is to construct a model to split the data distribution hyperplane and leverage the concept of isolation, as well as advance the incremental model update. We utilize the isolation tree as the backbone to design our model, named, to echo back three norms. By analyzing the popular dataset of network intrusion traces, we show that significantly outperforms the state-of-the-art methods. Further, we perform an initial deployment of by working with the Internet Service Provider (ISP) to detect distributed denial of service (DDoS) attacks. With real-world tests and manual analysis, we demonstrate the effectiveness of to identify previously-unseen attacks in a fine-grained manner.

Xiaojing Gu,Xingsheng Gu

DOI: https://doi.org/10.3390/e17063806

IF: 2.738

2015-01-01

Entropy

Abstract:Transport Layer Security (TLS) and its predecessor, SSL, are important cryptographic protocol suites on the Internet. They both implement public key certificates and rely on a group of trusted certificate authorities (i.e., CAs) for peer authentication. Unfortunately, the most recent research reveals that, if any one of the pre-trusted CAs is compromised, fake certificates can be issued to intercept the corresponding SSL/TLS connections. This security vulnerability leads to catastrophic impacts on SSL/TLS-based HTTPS, which is the underlying protocol to provide secure web services for e-commerce, e-mails, etc. To address this problem, we design an attribute dependency-based detection mechanism, called SSLight. SSLight can expose fake certificates by checking whether the certificates contain some attribute dependencies rarely occurring in legitimate samples. We conduct extensive experiments to evaluate SSLight and successfully confirm that SSLight can detect the vast majority of fake certificates issued from any trusted CAs if they are compromised. As a real-world example, we also implement SSLight as a Firefox add-on and examine its capability of exposing existent fake certificates from DigiNotar and Comodo, both of which have made a giant impact around the world.

Chunkai Zhang,Ao Yin,Yepeng Deng,Panbo Tian,Xuan Wang,Lifeng Dong

DOI: https://doi.org/10.1007/978-3-319-94295-7_20

2018-01-01

Abstract:In this paper, we propose a novel anomaly detection algorithm, named T-Forest, which is implemented by multiple trident trees (T-trees). Each T-tree is constructed recursively by isolating the data outside of 3 sigma into the left and right subtree and isolating the others into the middle subtree, and each node in a T-tree records the size of datasets that falls on this node, so that each T-tree can be used as a local density estimator for data points. The density value for each instance is the average of all trees evaluation instance densities, and it can be used as the anomaly score of the instance. Since each T-tree is constructed according to 3 sigma principle, each tree in TB-Forest can obtain good anomaly detection results without a large tree height. Compared with some state-of-the-art methods, our algorithm performs well in AUC value, and needs linear time complexity and space complexity. The experimental results show that our approach can not only effectively detect anomaly points, but also tend to converge within a certain parameters range.

Chun-Hui Xiao,Chen Su,Cong-Xiao Bao,Xing Li

DOI: https://doi.org/10.1109/ICNISC.2018.00019

2018-01-01

Abstract:As an important part in network management system, rapid and accurate anomaly detection is one of the preconditions to guarantee the effective work of the network. In general, the network management system will monitor the data of multiple indicators, and the manifestations of network anomalies are complex in the data. Most existing anomaly detection approaches have encountered some trouble in network anomaly detection because of the periodicity of time series data or high time complexity and memory cost working on high-dimensional data. Aiming at the deficiency of present methods of network anomaly detection, we propose an adapted method based on iForest algorithm. We construct some feature extractors through statistical methods to highlight different abnormal behaviors in different indicator and then use the extracted feature data for the construction and prediction of iForest. Combining specific feature extractors, we can eliminate the effects of periodicity, or specify the detection of peaks or troughs to adapt to different indicators. By means of iForest algorithm which has linear time complexity and low memory requirement, our method makes a rapid detection with large dataset and works well in high dimensional network management data.

G. BharathiMohan,S. S. Akshay,Y. Hemanth,B. Bhavana,Kailash Reddy,P. P. Sree

DOI: https://doi.org/10.1109/TEMSCON-ASPAC59527.2023.10531556

2023-12-14

Abstract:Blockchain technology has gained widespread adoption across various industries due to its potential for secure and transparent data management. However, ensuring the integrity and security of transactions within blockchain networks is a critical challenge. Anomaly detection plays a pivotal role in identifying irregularities and potential fraudulent activities within these networks. This research paper delves into the intricacies of anomaly detection in blockchain data, employing a multifaceted approach that encompasses data preprocessing, machine learning models, and feature selection. The study employs the Isolation Forest and K-Means clustering models, offering robust solutions for identifying anomalies in blockchain transactions. Additionally, Long Short-Term Memory (LSTM) networks are leveraged for time series analysis. The results reveal insights into the strengths and limitations of these models, enhancing security measures and data integrity within the blockchain landscape. This comprehensive exploration aids in fortifying the trustworthiness of blockchain networks by detecting unusual and potentially fraudulent activities, contributing to the broader field of anomaly detection in digital transactions.

Computer Science

Haolong Xiang,Xuyun Zhang,Mark Dras,Amin Beheshti,Wanchun Dou,Xiaolong Xu

DOI: https://doi.org/10.1109/icdm58522.2023.00077

2023-01-01

Abstract:Anomaly detection is one of the crucial research topics in artificial intelligence, encompassing various fields such as health monitoring, network intrusion detection, and fraud detection in financial transactions. Deep anomaly detection (DAD) methods are considered as the effective approaches for addressing complex anomaly detection problems. Among them, the deep isolation forest methods have gained rapid development recently due to their simplicity in parameter turning and efficiency in model training. The existing deep isolation forest approaches are all based on representation learning, while OptiForest theoretically proves the crucial role of the tree structure in isolation forest based methods. In this paper, we analyse the search space of isolation trees under specific data instances and address the challenges in finding optimal isolation forest. Based on the theoretical underpinning and genetic algorithm, we design a deep model DOIForest with two mutation schemes and solution selection, which learns the optimal isolation forest and optimises the parameters in data partitioning. Extensive experiments on both synthetic dataset and a series of real-world datasets demonstrate that our approach can achieve better detection accuracy and robustness than the state-of-the-arts.

Ming Sun,Ya Su,Shenglin Zhang,Yuanpu Cao,Yuqing Liu,Dan Pei,Wenfei Wu,Yongsu Zhang,Xiaozhou Liu,Junliang Tang

DOI: https://doi.org/10.1109/infocom42981.2021.9488755

2021-01-01

Abstract:Anomaly detection is indispensable in modern IT infrastructure management. However, the dimension explosion problem of the monitoring data (large-scale machines, many key performance indicators, and frequent monitoring queries) causes a scalability issue to the existing algorithms. We propose a coarse-to-fine model transfer based framework CTF to achieve a scalable and accurate data-center-scale anomaly detection. CTF pre-trains a coarse-grained model, uses the model to extract and compress per-machine features to a distribution, clusters machines according to the distribution, and conducts model transfer to fine-tune per-cluster models for high accuracy. The framework takes advantage of clustering on the per-machine latent representation distribution, reusing the pre-trained model, and partial-layer model fine-tuning to boost the whole training efficiency. We also justify design choices such as the clustering algorithm and distance algorithm to achieve the best accuracy. We prototype CTF and experiment on production data to show its scalability and accuracy. We also release a labeling tool for multivariate time series and a labeled dataset to the research community.

Haolong Xiang,Xuyun Zhang,Hongsheng Hu,Lianyong Qi,Wanchun Dou,Mark Dras,Amin Beheshti,Xiaolong Xu

2023-06-23

Abstract:Anomaly detection plays an increasingly important role in various fields for critical tasks such as intrusion detection in cybersecurity, financial risk detection, and human health monitoring. A variety of anomaly detection methods have been proposed, and a category based on the isolation forest mechanism stands out due to its simplicity, effectiveness, and efficiency, e.g., iForest is often employed as a state-of-the-art detector for real deployment. While the majority of isolation forests use the binary structure, a framework LSHiForest has demonstrated that the multi-fork isolation tree structure can lead to better detection performance. However, there is no theoretical work answering the fundamentally and practically important question on the optimal tree structure for an isolation forest with respect to the branching factor. In this paper, we establish a theory on isolation efficiency to answer the question and determine the optimal branching factor for an isolation tree. Based on the theoretical underpinning, we design a practical optimal isolation forest OptIForest incorporating clustering based learning to hash which enables more information to be learned from data for better isolation quality. The rationale of our approach relies on a better bias-variance trade-off achieved by bias reduction in OptIForest. Extensive experiments on a series of benchmarking datasets for comparative and ablation studies demonstrate that our approach can efficiently and robustly achieve better detection performance in general than the state-of-the-arts including the deep learning based methods.

Machine Learning,Artificial Intelligence

Rithwik Gupta,Daniel Muthukrishna,Michelle Lochner

2024-08-06

Abstract:Automating anomaly detection is an open problem in many scientific fields, particularly in time-domain astronomy, where modern telescopes generate millions of alerts per night. Currently, most anomaly detection algorithms for astronomical time-series rely either on hand-crafted features or on features generated through unsupervised representation learning, coupled with standard anomaly detection algorithms. In this work, we introduce a novel approach that leverages the latent space of a neural network classifier for anomaly detection. We then propose a new method called Multi-Class Isolation Forests (MCIF), which trains separate isolation forests for each class to derive an anomaly score for an object based on its latent space representation. This approach significantly outperforms a standard isolation forest when distinct clusters exist in the latent space. Using a simulated dataset emulating the Zwicky Transient Facility (54 anomalies and 12,040 common), our anomaly detection pipeline discovered $46\pm3$ anomalies ($\sim 85\%$ recall) after following up the top 2,000 ($\sim 15\%$) ranked objects. Furthermore, our classifier-based approach outperforms or approaches the performance of other state-of-the-art anomaly detection pipelines. Our novel method demonstrates that existing and new classifiers can be effectively repurposed for real-time anomaly detection. The code used in this work, including a Python package, is publicly available, <a class="link-external link-https" href="https://github.com/Rithwik-G/AstroMCAD" rel="external noopener nofollow">this https URL</a>.

Machine Learning,High Energy Astrophysical Phenomena,Instrumentation and Methods for Astrophysics

Chunkai Zhang,Haodong Liut,Ye Li,Ao Yin,Zoe L. Jiang,Qing Liao,Xuan Wang

DOI: https://doi.org/10.1109/spac.2017.8304323

2017-01-01

Abstract:Anomaly detection refers to the algorithm to find the anomalies among the data. As a branch of data mining, it has important research significance. With the advance of sensor technology, data is always distributed at many places. To ensure that the data owners privacy data is not disclosed in the process of anomaly detection, the privacy preserving scheme is necessary. In this paper, we propose a provable secure structure, Secure Isolation Forest(SIF), which is a distributed anomaly detection algorithm based on ensemble isolation principle. We improve performance and detection capabilities by fixed the height of trees and adopt an effective homomorphic cryptosystem. Our construction allows the inputs encrypted by different independent public keys. Lastly, we highlight the practicability of our construction by extensive experimental evaluation.

Andrew Elliott,Mihai Cucuringu,Milton Martinez Luaces,Paul Reidy,Gesine Reinert

DOI: https://doi.org/10.48550/arXiv.1901.00402

2019-05-25

Abstract:This paper is motivated by the task of detecting anomalies in networks of financial transactions, with accounts as nodes and a directed weighted edge between two nodes denoting a money transfer. The weight of the edge is the transaction amount. Examples of anomalies in networks include long paths of large transaction amounts, rings of large payments, and cliques of accounts. There are many methods available which detect such specific structures in networks. Here we introduce a method which is able to detect previously unspecified anomalies in networks. The method is based on a combination of features from network comparison and spectral analysis as well as local statistics, yielding 140 main features. We then use a simple feature sum method, as well as a random forest method, in order to classify nodes as normal or anomalous. We test the method first on synthetic networks which we generated, and second on a set of synthetic networks which were generated without the methods team having access to the ground truth. The first set of synthetic networks was split in a training set of 70 percent of the networks, and a test set of 30 percent of the networks. The resulting classifier was then applied to the second set of synthetic networks. We compare our method with Oddball, a widely used method for anomaly detection in networks, as well as to random classification. While Oddball outperforms random classification, both our feature sum method and our random forest method outperform Oddball. On the test set, the random forest outperforms feature sum, whereas on the second synthetic data set, initially feature sum tends to pick up more anomalies than random forest, with this behaviour reversing for lower-scoring anomalies. In all cases, the top 2 percent of flagged anomalies contained on average over 90 percent of the planted anomalies.

Applications,Social and Information Networks,Physics and Society

Iman Kohyarnejadfard,Daniel Aloise,Seyed Vahid Azhari,Michel R. Dagenais

DOI: https://doi.org/10.1186/s13677-022-00296-4

2022-08-14

Journal of Cloud Computing

Abstract:In recent years DevOps and agile approaches like microservice architectures and Continuous Integration have become extremely popular given the increasing need for flexible and scalable solutions. However, several factors such as their distribution in the network, the use of different technologies, their short life, etc. make microservices prone to the occurrence of anomalous system behaviours. In addition, due to the high degree of complexity of small services, it is difficult to adequately monitor the security and behavior of microservice environments. In this work, we propose an NLP (natural language processing) based approach to detect performance anomalies in spans during a given trace, besides locating release-over-release regressions. Notably, the whole system needs no prior knowledge, which facilitates the collection of training data. Our proposed approach benefits from distributed tracing data to collect sequences of events that happened during spans. Extensive experiments on real datasets demonstrate that the proposed method achieved an F_score of 0.9759. The results also reveal that in addition to the ability to detect anomalies and release-over-release regressions, our proposed approach speeds up root cause analysis by means of implemented visualization tools in Trace Compass.

English Else

Salvatore Vilella,Arthur Thomas Edward Capozzi Lupi,Marco Fornasiero,Dario Moncalvo,Valeria Ricci,Silvia Ronchiadin,Giancarlo Ruffo

DOI: https://doi.org/10.48550/arXiv.2311.14778

2024-02-19

Abstract:This paper explores anomaly detection through temporal network analysis. Unlike many conventional methods, relying on rule-based algorithms or general machine learning approaches, our methodology leverages the evolving structure and relationships within temporal networks, that can be used to model financial transactions. Focusing on minimal changes in stable ecosystems, such as those found in large international financial institutions, our approach utilizes network centrality measures to gain insights into individual nodes. By monitoring the temporal evolution of centrality-based node rankings, our method effectively identifies abrupt shifts in the roles of specific nodes, prompting further investigation by domain experts. To demonstrate its efficacy, our methodology is applied in the Anti-Financial Crime (AFC) domain, analyzing a substantial financial dataset comprising over 80 million cross-country wire transfers. The goal is to pinpoint outliers potentially involved in malicious activities, aligning with financial regulations. This approach serves as an initial stride towards automating AFC and Anti-Money Laundering (AML) processes, providing AFC officers with a comprehensive top-down view to enhance their efforts. It overcomes many limitations of current prevalent paradigms, offering a holistic interpretation of the financial data landscape and addressing potential blindness to phenomena that cannot be effectively estimated through single-node or narrowly focused transactional approaches.

Social and Information Networks,Computational Engineering, Finance, and Science,Information Retrieval

Yifan Liao,Ming Xu,Yun Lin,Xiwen Teoh,Xiaofei Xie,Ruitao Feng,Frank Liaw,Hongyu Zhang,Jin Song Dong

DOI: https://doi.org/10.1145/3691620.3695024

2024-01-01

Abstract:Web applications are crucial infrastructures in the modern society, which have high demand of reliability and security. However, their frontend can be manipulable by the clients (e.g., the frontend code can be modified to bypass some validation steps), which incurs the runtime anomaly when operating the web service. Existing state-of-the-art anomaly detectors largely learn a deep learning model from the collected logs to predict abnormal logs with a probability. While effective in general, those approaches can suffer from (1) inaccuracy caused by subtle difference between the normal and abnormal/attack logs and (2) additional efforts for root cause analysis. In this work, we propose WebNorm, an anomaly detection approach to detect and explain the attack-caused anomalies on web applications in a unified way. Our rationale lies in learning the behaviorial normalities of a running web application as invariants. The normalities are designed regarding data normality (e.g., what information must be consistent across different events), flow normality (e.g., what events must happen under certain circumstances), and common-sense normality (e.g., what is the normal range of some parameters). The violation of the invariants indicates both the alarm and its explanation. WebNorm first monitors the normal behaviors of subject application and captures its information flows between entities such as frontend, service, and database. Then, it learns the behaviorial normalities in terms of logical rules so that it can detect and explain behaviorial anomaly by the inconsistency between the learned normalities and the runtime application behaviors. We model the invariants as first-order logics, transferrable to executable Python scripts to generate alarm with explainable root cause. Our extensive experiment shows that, on detecting the tamper attacks on the web applications as TrainTicket and NiceFish. WebNorm improves the precision and the recall of the baselines such as LogAnomaly, LogRobust, DeepLog, NeuralLog, PLELog, ReplicaWatcher by more than 56.1% and 35.1% respectively, serving as a new state-of-the-art anomaly detection solution.

Tharindu R. Bandaragoda,Kai Ming Ting,David Albrecht,Fei Tony Liu,Ye Zhu,Jonathan R. Wells

DOI: https://doi.org/10.1111/coin.12156

2018-01-01

Computational Intelligence

Abstract:The first successful isolation-based anomaly detector, ie, iForest, uses trees as a means to perform isolation. Although it has been shown to have advantages over existing anomaly detectors, we have identified 4 weaknesses, ie, its inability to detect local anomalies, anomalies with a high percentage of irrelevant attributes, anomalies that are masked by axis-parallel clusters, and anomalies in multimodal data sets. To overcome these weaknesses, this paper shows that an alternative isolation mechanism is required and thus presents iNNE or isolation using Nearest Neighbor Ensemble. Although relying on nearest neighbors, iNNE runs significantly faster than the existing nearest neighbor-based methods such as the local outlier factor, especially in data sets having thousands of dimensions or millions of instances. This is because the proposed method has linear time complexity and constant space complexity.

Xuyun Zhang,Wanchun Dou,Qiang He,Rui Zhou,Christopher Leckie,Ramamohanarao Kotagiri,Zoran Salcic

DOI: https://doi.org/10.1109/icde.2017.145

2017-01-01

Abstract:Anomaly or outlier detection is a major challenge in big data analytics because anomaly patterns provide valuable insights for decision-making in a wide range of applications. Recently proposed anomaly detection methods based on the tree isolation mechanism are very fast due to their logarithmic time complexity, making them capable of handling big data sets efficiently. However, the underlying similarity or distance measures in these methods have not been well understood. Contrary to the claims that these methods never rely on any distance measure, we find that they have close relationships with certain distance measures. This implies that the current use of this fast isolation mechanism is only limited to these distance measures and fails to generalise to other commonly-used measures. In this paper, we propose a generic framework named LSHiForest for fast tree isolation based ensemble anomaly analysis with the use of a Locality-Sensitive Hashing (LSH) forest. Being generic, the proposed framework can be instantiated with a diverse range of LSH families, and the fast isolation mechanism can be extended to any distance measures, data types and data spaces where an LSH family is defined. In particular, the instances of our framework with kernelised LSH families or learning based hashing schemes can detect complicated anomalies like local or surrounded anomalies. We also formally show that the existing tree isolation based detection methods are special cases of our framework with the corresponding distance measures. Extensive experiments on both synthetic and real-world benchmark data sets show that the framework can achieve both high time efficiency and anomaly detection quality.

Yang Cao,Haolong Xiang,Hang Zhang,Ye Zhu,Kai Ming Ting

2024-03-16

Abstract:Anomaly detection is a longstanding and active research area that has many applications in domains such as finance, security, and manufacturing. However, the efficiency and performance of anomaly detection algorithms are challenged by the large-scale, high-dimensional, and heterogeneous data that are prevalent in the era of big data. Isolation-based unsupervised anomaly detection is a novel and effective approach for identifying anomalies in data. It relies on the idea that anomalies are few and different from normal instances, and thus can be easily isolated by random partitioning. Isolation-based methods have several advantages over existing methods, such as low computational complexity, low memory usage, high scalability, robustness to noise and irrelevant features, and no need for prior knowledge or heavy parameter tuning. In this survey, we review the state-of-the-art isolation-based anomaly detection methods, including their data partitioning strategies, anomaly score functions, and algorithmic details. We also discuss some extensions and applications of isolation-based methods in different scenarios, such as detecting anomalies in streaming data, time series, trajectory, and image datasets. Finally, we identify some open challenges and future directions for isolation-based anomaly detection research.

Machine Learning

Lenka Benova,Ladislav Hudec

DOI: https://doi.org/10.3390/s24030746

IF: 3.9

2024-01-24

Sensors

Abstract:In this study, we present a novel machine learning framework for web server anomaly detection that uniquely combines the Isolation Forest algorithm with expert evaluation, focusing on individual user activities within NGINX server logs. Our approach addresses the limitations of traditional methods by effectively isolating and analyzing subtle anomalies in vast datasets. Initially, the Isolation Forest algorithm was applied to extensive NGINX server logs, successfully identifying outlier user behaviors that conventional methods often overlook. We then employed DBSCAN for detailed clustering of these anomalies, categorizing them based on user request times and types. A key innovation of our methodology is the incorporation of post-clustering expert analysis. Cybersecurity professionals evaluated the identified clusters, adding a crucial layer of qualitative assessment. This enabled the accurate distinction between benign and potentially harmful activities, leading to targeted responses such as access restrictions or web server configuration adjustments. Our approach demonstrates a significant advancement in network security, offering a more refined understanding of user behavior. By integrating algorithmic precision with expert insights, we provide a comprehensive and nuanced strategy for enhancing cybersecurity measures. This study not only advances anomaly detection techniques but also emphasizes the critical need for a multifaceted approach in protecting web server infrastructures.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation