IEEE - 43488

NETWORK INTRUSION DETECTION

USING CLUSTERING AND GRADIENT
BOOSTING
Parag Verma Shayan Anwar
Department of Computer Engineering & IT, Department of Computer Engineering & IT,
College of Engineering, Pune College of Engineering, Pune

Shadab Khan Dr. Sunil B Mane

Department of Computer Engineering & IT, Department of Computer Engineering & IT,
College of Engineering, Pune College of Engineering, Pune

Abstract— An unauthorized activity on the network is called electoral process and some of the most disruptive distributed
network intrusion and device or software application which denial of service (DDoS) attacks in the history of internet.
monitors the network parameters in order to detect such an With the rise in number of network attacks in the recent
intrusion is called network intrusion detection system (NIDS). years, there is an increasing need of systems capable of
With high rise in malicious activities on the internet, it is
detecting network intrusions, which pose a massive security
extremely important for NIDS to quickly and correctly identify
any kind of malicious activity on the network. Moreover, the risk.
system must refrain from raising false alarms in case of normal
usage detected as malicious. This paper proposes use of machine A. Related Work
learning classification algorithms - XGBoost and AdaBoost with
and without clustering to train a model for NIDS. The models This section focuses on previous works in the field of
are trained and tested using NSL KDD dataset and the results intrusion detection and the algorithms and techniques used to
are an improvement over the previous works related to carry out the experiments. Statistics based approaches like
intrusion detection on the same dataset. Denning's model checks the audit records of a system to
identify abnormal patterns of system usage and monitors this
Index Terms— Intrusion detection, XGBoost, AdaBoost, data to detect security violations[2]. NetStat[3] identifies
Machine learning, decision trees, classification algorithm, those network events which needs to be monitored. Added to
clustering algorithm, gradient boosting
this, it was determines how those events can be monitored. It
uses a formal model for both network and attacks.
Another approach to detect network intrusion is using Data
I. INTRODUCTION mining based techniques. Hai Jin et al. [6] apply fuzzy

T echnology has evolved exponentially in the past few

decades. And just as technology brings ever greater
benefits, it also brings ever greater threats. With the
clustering methods to intrusion detection. In this approach,
the raw data points are clustered into different classes using
feature selection, normalizing raw data and building fuzzy
recent advancements in Internet technologies, there has been similar matrices. H. Han present an algorithm called
a significant increase in the network attacks. Network Signature Apriori. This is capable of generating signatures
intrusion detection is hence an important research issue of the for misuse detection IDS. The main feature of this method is
hour. Although a remarkable progress has been made in this that it not only uses attributes of transfer protocol, but also
field, there is still a lot of scope to improve methods of the content of traffic.[7]
detecting and preventing network-based attacks. Supervised learning based approaches can also give
substantial results in intrusion detection scenarios. Bonifacio
According to Internet Security Threat Report (ISTR) 2017 et al.[8] use Multilayer perceptron Neural Networks to
[1], attackers broke all records this year in terms of identify intrusive behavior using Backpropagation,
magnitude and disruption. 2017 was a year which introduced Quickprop and Rprop as training algorithms. Mill and Inoue
the world to some of the biggest all time attacks including [9] propose the TreeSVM and ArraySVM. The proposed
huge virtual money bank thefts, attempts to disrupt the US method is capable of tackling with the problem of

9th ICCCNT 2018

July 10-12, 2018, IISC, Bengaluru
Bengaluru, India
 IEEE - 43488

inefficiency in sequential minimal optimization algorithm for C. Anomaly Based IDS in Networks
the large set of training data in intrusion detection. Anomaly based Network intrusion detection as stated in
Clustering based approaches like Guan et al.[10] propose [12] involves identifying exceptional patterns in network
Y-means for intrusion detection, which is a k-means based traffic that diverges from the normal behavior. The divergent
clustering algorithm. Jiang et al. [11] modifies this algorithm behavior patterns are known as anomalies or outliers.
using incremental clustering to improve detection of
anomalous values.
D. Properties of Anomaly based NIDS
II. INTRUSION DETECTION SYSTEMS (IDS) The main purpose of Anomaly based Network Intrusion
According to Anderson [12], intrusion can be defined as Detection Systems (NIDS) is processing network data by
an attempt to access or modify information, or to disrupt the monitoring packets on the network and look for patterns and
functioning of a system. When it comes to detecting an to determine whether the input data is an anomaly or a
intrusion attempt, the major tasks involve monitoring and normal data instance. NIDS operate on three different modes:
analyzing user, system, and network activities; identifying (i) supervised, which uses both training data from normal and
vulnerabilities, recognizing patterns of typical attacks and anomaly classes; (ii) semi-supervised, which only use labeled
analyzing abnormal activities[12]. instances of data for the normal classes and (iii)
unsupervised, which requires no labeled instances of data but
labeling is done by the system itself [12].
A. Classification of Intrusion Detection Systems (IDS)
IDSs can be classified depending on where they are setup:
1) Host based Intrusion Detection System (HIDS): Host E. Challenges
based intrusion detection system involves setting up an [15] discusses about the challenges that existing ADs have
application on a system to monitor it. Log files or auditing to face [16], [17].The major difficulty is incorrect detection
agents of the system are used as sources of data by the of normal traffic as malicious, also known as high false
application. System’s internals are monitored and analyzed positive rate. As far as unsupervised AD is concerned, it will
along with network packets in order to detect anomalies in consider a sufficiently divergent traffic as anomalous. But in
HIDS. practical scenarios it is not necesary that all the anomalous
traffic is malicious. This creates a need of human
2) Network based Intrusion Detection System (NIDS): An supervision, which destroys the core reason of AD. Another
NIDS includes detecting intrusions in network data. Unlike obstacle is that attacks may be highly volatile and long-
HIDS, this system is established on a network level rather lasting. After a certain period of this traffic flow, the AD
than an individual system. The NIDS monitors incoming considers the dominant attack traffic as normal and the rest
packets and tries to find suspicious patterns. It also provides as anomalous. It is because of all these challenges that there
information about intrusion from outgoing or local traffic. is a need of detection systems that are capable of both
learning the long-term characteristics of the network, and
adapt to new malicious behavior.
B. Architecture of Intrusion Detection Systems
IDS can be designed in two ways, signature based and
behavioral-based, anomaly detection (AD). Signature-based III. MACHINE LEARNING ALGORITHMS
detection uses an existing set of already identified attack
This section gives a brief introduction of different machine
signatures, which is periodically updated when a new attack
learning algorithms and their use to create a useful model
is found. The signature of the suspicious traffic is matched
from a large collection of raw data.
with the signature in the attack set to detect intrusion.
Broadly, machine learning algorothms can be categorized
Although these systems are successful in detecting existing
in two parts: Supervised learning and unsupervised learning.
attacks, they fail to detect new malwares because their
Supervised learning is when output labels are available for
signature is not available in the existing set.
each set of input values and the main task associated with
Behavioral-based detection on the other hand is capable of
machine learning algorithm is to map these inputs to output
defending against new malicious behaviors also. This
labels. Unsupervised learning is when no output labels are
detection uses machine learning to learn the behavior of
available and the major task of algorithm is to find patterns
normal traffic. Traffic with a behavior that diverges
within the available input labels.
significantly from the normal is detected as anomaly. The
Approaches to machine learning:
main benefit of this method is that it works without any
existing set of known attack signatures.

9th ICCCNT 2018

July 10-12, 2018, IISC, Bengaluru
Bengaluru, India
 IEEE - 43488

A. Decision tree learning:

Decision tree learning uses a tree-like graph or model of (2) Calculate the weight for the mth weak classifier:
decisions and their possible consequences to predict target
value of an item based on its attributes/ observation values.
Algorithms for constructing decision trees usually work in a
top-down manner. A variable that best splits the set of items
is choosen at each step[22]. This weight can be positive or negative depending on
the accuracy of the classifier. Even if the accuracy of
classifier is low, it means that if the sign of its weight is
B. Clustering: inversed, it will mean a high accuracy classifier. Only
Grouping a set of observations into smaller subsets such that classifiers with exactly 50% accuracy is not important
observations within their own cluster are similar in some as even flipping the sign will not add anything
metric and are simultaneously dissimilar to points in other significant to the prediction.
clusters is known as the term Clustering. Different clustering
techniques use different assumptions of the properties of the (3) Update the weight for each data point as:
data, and note similarity using some measure. Other methods
include estimated density and graph connectivity. Clustering
is a considered unsupervised learning technique since it does
not take into account target labels.
where Zm is a normalization factor (ensures the
C. Boosting Algorithms summation of instance weights = 1).
1. Adaptive Boosting
AdaBoost is short for “Adaptive Boosting”. It was 2. eXtreme Gradient Boosting
proposed by Freund and Schapire in 1996 and is the first XGBoost is short for eXtreme Gradient Boosting
practical boosting algorithm. It converts a set of weak package. It is an efficient and scalable implementation
classifiers into a strong one. The final equation for of gradient boosting framework.[33][34] It is the most
classification can be represented as: widely used algorithm in Kaggle competitions for
applied machine learning of structured and tabular data.
It automatically performs parallel computation on
windows and linux and supports customized objective
and evaluation functions.

where fm stands for the mth weak classifier and θm is the It was built to efficiently optimize every bit of memory
corresponding weight. This is the weighted combination and hardware resources specifically for tree boosting
of M weak classifiers. The AdaBoost algorithm algorithms. It focuses on computational speed and
procedure is as follows: model performance.

Given a data set containing n points, where It can accept input data in a variety of forms and is
optimized for sparse input. XGBoost supports three
main forms of gradient boosting: Gradient boosting
machine[35], Stochastic Gradient Boosting[36] and
Regularized Gradient Boosting[23]. It is robust, support
Here -1 denotes the negative class while 1 represents the
addition of regularization parameters and fine tuning.
positive one.
Firstly, initialize the weight for each data point as:
XGBoost tries to determine the step directly by solving:

For iteration m=1,…,M: for each x in the data set. Second-order Taylor expansion
(1) Fit weak classifiers to the data set and select the one of the loss function around the current estimate f(m-1)(x)
with the lowest weighted classification error: gives:

9th ICCCNT 2018

July 10-12, 2018, IISC, Bengaluru
Bengaluru, India
 IEEE - 43488

where
gm(x) = gradient,
hm(x) = Hessian (second order derivative) at the current
estimate:

where γ is the penalization term on the number of terminal

Then the loss function can be rewritten as: nodes, α and λ are for L1 and L2 regularization
respectively. The optimal weight for each region j is
calculated as:

where,
Gjm = the sum of gradient in region j
Hjm = the sum of hessian in region j The gain of each split is defined correspondingly:

The optimal weight can be determined as follows

IV. EXPERIMENTS
A. Dataset description
Put it back to the loss function: The NSL-KDD is an improved version of the KDD-99
Dataset[24], one of the most popular datasets used in training
classifiers for intrusion detection. The dataset was recorded
by Lincoln Labs over a period of 9 weeks, simulating a
typical US Air Force LAN. The first 7 weeks constituted the
This gives us the structure score for a tree. The smaller the training set and the last 2 weeks of data is the test set. Studies
score is, the better the structure is. Thus, for each split to like [25] have brought to light some of the inherent problems
make, the proxy gain is: of the original dataset, prompting the need for a better
dataset. Significant improvements over the original dataset
are mentioned here [26].

The NSL KDD, similar to its predecessor contains 41

features, 3 of which are Nominal attributes and the rest 38
are Numeric attributes. The datasets contain a total of 24
training attack types, with an additional 14 types in the test
data only. The total number of data points in the training set
Including regularization, rewrite the loss function:
are 125973. Out of these, 67343 (53.4%) are classified as
‘normal’ connections and the rest 58630 (47.6%) are
classified as an ‘attack’.

9th ICCCNT 2018

July 10-12, 2018, IISC, Bengaluru
Bengaluru, India
 IEEE - 43488

The test set has a total of 22554 points, split as 9711 TABLE II
CONFUSION MATRIX
(43.0%) as normal and 12833 (57%) as attack. The
probabiltity distribution of the test data and training data has
Predicted True False
been delibirately kept different. The test data also contains
Actual
certain attack types which are not present in the training data,
True True Positive False Negative
making the job more realistic. For the purpose of this
False False Positive True Negative
experiment, the dataset was split in 80-20 ratio to check the
model on training set.
1. Precision: TP/(TP+FP)
TABLE I 2. Recall: TP/(TP+FN)
DATASET DESCRIPTION 3. F1-Score: Harmonic Mean of Precision and Recall i.e.
2 * Precision * Recall / (Precision + Recall)
Data Total Number of 4. Accuracy: TP + TN / (TP + FN + FP + TN)
Set Record
Type Normal DoS Probe U2R R2L
s D. Methodology
125973 67343 45927 11656 52 995 First, we used XGBoost algorithm with default parameters
Trai (no of estimators = 100, maximum depth = 3, regularization
n 53.46 36.46 0.04
% %
9.25%
%
0.79% alpha = 0 and regularization lambda = 1) on the preprocessed
data. Similarly, AdaBoost algorithm with base estimator as a
22544 9711 7458 2421 200 2754 Decision Tree Classifier and number of estimators = 50 was
Test 43.08 33.08 10.74 0.89 12.21 used. All 41 features were used in the above 2 experiments.
% % % % % We repeated the same experiments by selecting a subset of
features by using the CFS Subset selection algorithm on
WEKA, which selected 6 attributes, but accuracy on test set
B. Preprocessing did not improve.
1. Dropping Redundant Columns: The second approach was to first cluster the data points
‘num_outbound_cmds’ column contained only a and then train a classifier for each cluster. From the test set,
single value i.e. 0. This column was therefore we then first predict the cluster in which the data point lies
and then choose the corresponding classifier to appropriately
removed since it made no contribution.
classify the data point.
2. Factorization and One Hot Encoding: Features like
In addition, we used Grid Search to tune hyperparameters
‘protocol_type’, ‘service’ and ‘flag’ are Nominal of our classifiers. The optimal parameters for XGBoost were
and Text type features. First we factorized them to found to be as follows:
convert them into nominal numeric features and number of estimators = 10,
then performed One Hot Encoding to further maximum depth of a tree=10,
convert them into binary features. L1 regularization term on weights = 0.5,
3. Feature Scaling: All features were scaled by L1 regularization term on weights = 0.1
subtracting the mean and scaling to unit variance in and for Adaboost with Decision Tree Classifier, the optimum
the training set. The same mean and standard number of estimators were found to be 100.
deviation are again used to scale test data. To obtain results on training set, 80:20 split and 10 fold cross
4. Finding the number of optimal clusters: Starting validation has been used.
with 1 cluster, to a suitable number of clusters, say
10, the training set is fit to K-means clustering E. Observations:
algorithm and Within Cluster Sum of Squares
(WCSS) vs No of Clusters is plotted. Then the 1. XgBoost trained on Traning Set – Evaluated on
Elbow method is used to find out the optimal supplied Test Set:
number of clusters. Experimentally, that came out
be 7. a. With Clustering:
Predicted True False
C. Metrics Actual
Target Vector has 2 classes – True (1) and False (0). True 9461 3372
Comparing actual and predicted values, we can then False 265 9445
calculate metrics based on a confusion matrix.

9th ICCCNT 2018

July 10-12, 2018, IISC, Bengaluru
Bengaluru, India
 IEEE - 43488

b. Without Clustering: V. COMPARISON WITH PREVIOUS WORKS

Predicted True False
Actual TABLE IV
True 8755 4078 COMPARISON ON TEST DATASET
False 744 8966
Classifier Accuracy
2. AdaBoost trained in Training Set – Evaluated on
XGBoost with
supplied Test Set
K-Means Clustering 84.253
(Proposed)
a. With Clustering:
Predicted True False SOM [27] 75.49
Actual ANN [28] 81.2
True 8997 3836
False 276 9394 SVM [29] 82.38

b. Without Clustering:
Predicted True False TABLE V
COMPARISON ON TRAINING DATASET
Actual
True 8709 4124
Classifier Accuracy
False 725 8985
XGBoost with
K-Means Clustering 99.86
F. Results: (Proposed)
AdaBoost + GA [30] 99.57
TABLE II
RESULTS ON TEST DATASET Discriminative
Multinomial Naïve Bayes 96.5
Precisio F1 +N2B [31]
Classifier Recall Accuracy
n Score Random Forest[32] 91.5
XGBoost with K-
87.116 83.866 83.867 84.253
Means Clustering As observed from above comparison (TABLE IV), the
AdaBoost with proposed method gives higher accuracy of attack detection
K-Means 85.921 81.888 82.056 82.011 than other techniques.
Clustering
XGBoost 84.514 79.641 79.455 80.238
VI. CONCLUSION

AdaBoost 83.012 80.543 80.217 80.731

In this paper we have proposed the use of boosting
algorithms with and without clustering in detecting network
TABLE III intrusion. Our results display accuracies which are better than
RESULTS ON TRAINING DATASET existing models. We were able to come up with a robust
model even though NSL-KDD Test data is based on different
F1 probability distribution than Training data.
Classifier Precision Recall Accuracy
Score The experiment results show that anomaly-based intrusion
XGBoost with
detection using machine learning holds a lot of potential for
K-Means 99.86 99.86 99.86 99.86 improvements and can be used reliably in future.
Clustering
Our future work will focus on the following aspects:
AdaBoost with
K-Means 99.85 99.84 99.84 99.84 1. Improving current model using a hybrid ensemble,
Clustering consisting of different types of classifiers.
2. Further improvement FP rate, leading to better
XGBoost 99.75 99.70 99.75 99.70
accuracies and precision.
AdaBoost 99.39 99.39 99.38 99.39

9th ICCCNT 2018

July 10-12, 2018, IISC, Bengaluru
Bengaluru, India
 IEEE - 43488

REFERENCES [26] NSL-KDD Dataset, http://www.unb.ca/cic/datasets/nsl.html

[27] L. M. Ibrahim, D. T. Basheer, M. S. Mahmod, “A Comparison Study
[1] Symantec, Internet Security Threat Report 2017, Vol. 22 For Intrusion Database(KDD99, NSL-KDD) Based On Self
[2] D. Denning, “An intrusion detection model,” IEEE Trans. Softw. Eng., Organization Map (SOM) Artificial Neural Network”, Journal of
vol. SE-13, no. 2, pp. 222–232, Feb. 1987. Engineering Science and Technology, Vol. 8, No. 1 (2013) 107 – 119
[3] G. Vigna and R. A. Kemmerer, “NetSTAT: A network-based intrusion [28] B. Ingre, A. Yadav, “Performance Analysis of NSL-KDD dataset using
detection approach,” in Proc. Comput. Secur. Appl. Conf., Dec. 1998, ANN”, SPACES-2015, Dept of ECE, K L University
pp. 25–34. [29] M. S. Pervez, D. Md. Farid, “Feature Selection and Intrusion
[4] D. Qu, B. M. Vetter, F. Wang, R. Narayan, S. F. Wu, Y. F. Hou, F. classification in NSL-KDD Cup 99 Dataset Employing SVMs”, The
Gong, and C. Sargor, “Statistical anomaly detection for link-state 8th International Conference on Software, Knowledge, Information
routing protocols,” in Proc. 6th Int. Conf. Netw. Protocols, 1998, pp. Management and Applications (SKIMA 2014), Dec. 2014
62–70. [30] H. M. Harb, A. S. Desuky, “Adaboost Ensemble with Genetic
[5] N. Ye, S. M. Emran, X. Li, and Q. Che, “Statistical process control for Algorithm Post Optimization for Intrusion Detection”, IJCSI
computer intrusion detection,” in Proc. DARPA Inf. Survivability Conf. International Journal of Computer Science Issues, Vol. 8, Issue 5, No
Expo. II, 2001, vol. 1, pp. 3–14. 1, September 2011
[6] H. Jin, J. Sun, H. Chen, and Z. Han, “A fuzzy data mining based [31] M. Panda, A. Abraham, M. R. Patra, “Discriminative Multinomial
intrusion detection model,” in Proc. l0th IEEE Int. Workshop Future Naïve Bayes for Network Intrusion Detection”, 2010 Sixth
Trends Distrib. Comput. Syst., May 2004, pp. 191–197. International Conference on Information Assurance and Security
[7] H. Han, X. L. Lu, and L. Y. Ren, “Using data mining to discover [32] S. Choudhury, A. Bhowal, “Comparative Analysis of Machine
signatures in network-based intrusion detection,” in Proc. Int. Conf. Learning Algorithms along with Classifiers for Network Intrusion
Mach. Learn. Cybern., 2002, vol. 1, pp. 13–17. Detection”, International Conference on Smart Technologies and
[8] J. M. Bonifacio, Jr., A. M. Cansian, A. C. P. L. F. De Carvalho, and E. Management for Computing, Communication, Controls, Energy and
S. Moreira, “Neural networks applied in intrusion detection systems,” Materials (ICSTM), Chennai, T.N., India. 6-8 May 2015. pp.89-95
in Proc. IEEE Int. Joint Conf. Neural Netw., 1998, vol. 1, pp. 205–210. [33] Friedman J, Hastie T, Tibshirani R, et al. (2000). “Additive logistic
[9] J. Mill and A. Inoue, “Support vector classifiers and network intrusion regression: a statistical view of boosting (with discussion and a
detection,” in Proc. Int. Conf. Fuzzy Syst., 2004, vol. 1, pp. 407–410. rejoinder by the authors).” Annals of Statistics, 28(2), 337–407.
[10] Y. Guan, A. A. Ghorbani, and N. Belacel, “Y -means: A clustering [34] Friedman JH (2001). “Greedy function approximation: a gradient
method for intrusion detection,” in Proc. IEEE Can. Conf. Electr. boosting machine.” Annals of Statistics, pp. 1189–1232.
Comput. Eng., 2003, vol. 2, pp. 1083–1086. [35] http://www-stat.stanford.edu/~jhf/ftp/trebst.pdf
[11] S. Jiang, X. Song, H. Wang, J. Han, and Q. Li, “A clustering-based [36] J. H. Friedman, Stochastic Gradient Boosting, “Computational
method for unsupervised intrusion detections,” Pattern Recognit. Lett., Statistics & Data Analysis”, Volume 38, Issue 4, 28 February 2002, pp.
vol. 27, no. 7, pp. 802–810, May 2006. 367-378
[12] J. P. Anderson, “Computer Security Threat Monitoring and
Surveillance,” James P Anderson Co, Fort Washington, Pennsylvania,
Tech. Rep., April 1980
[13] M. H. Bhuyan, D. K. Bhattacharyya, J. K. Kalita, “Network anomaly
detection: Methods, systems, tools”, IEEE communications surveys &
tutorials, vol 16, issue 1, 2013, pp. 303-336
[14] F. Wikimedia, “Intrusion detection system,”
http://en.wikipedia.org/wiki/Intrusion-detection system, Feb 2009
[15] G. Kathareios, A. Anghel, A. Mate, R. Clayberg, M. Gusat, “Catch It If
You Can: Real-Time Network Anomaly Detection with Low False
Alarm Rates”, Machine Learning and Applications (ICMLA), 2017
16th IEEE International Conference, Dec. 2017
[16] R. Sommer et al., “Outside the closed world: On using machine
learning for network intrusion detection,” in Security and Privacy (SP),
2010 IEEE Symposium on, 2010, pp. 305–316.
[17] C.Gatesetal.,“Challenging the anomaly detection paradigm: a
provocative discussion,” in Proceedings of the 2006 workshop on New
security paradigms. ACM, 2006, pp. 21–29
[18] J. Dromard et al., “Online and scalable unsupervised network anomaly
detection method,” IEEE Transactions on Network and Service
Management, vol. 14, no. 1, pp. 34–47, 2017.
[19] P. Casas et al., “Unada: Unsupervised network anomaly detection
using sub-space outliers ranking,” Networking 2011, pp. 40–51, 2011.
[20] Y. Liu et al., “Sketch-based streaming pca algorithm for network-wide
traffic anomaly detection,” in Distributed Computing Systems
(ICDCS), IEEE 30th International Conference on, 2010, pp. 807–816.
[21] Mitchell, T. (1997). Machine Learning. McGraw Hill. p. 2. ISBN 0-07-
042807-7.
[22] Rokach, L.; Maimon, O. (2005). "Top-down induction of decision
trees classifiers-a survey". IEEE Transactions on Systems, Man, and
Cybernetics, Part C. 35 (4): 476–487.
[23] M. H. Bhuyan, D. K. Bhattacharyya, J. K. Kalita, “Network traffic
anomaly detection and prevention”
[24] KDD Cup 1999 Data: http://kdd.ics.uci.edu/databases/ kddcup99
[25] M. Tavallaee, E. Bagheri, W. Lu, and A. Ghorbani, “A Detailed
Analysis of the KDD CUP 99 Data Set,” Submitted to Second IEEE
Symposium on Computational Intelligence for Security and Defense
Applications (CISDA), 2009.

9th ICCCNT 2018

July 10-12, 2018, IISC, Bengaluru
Bengaluru, India