A REVIEW OF BEHAVIOURAL FINGERPRINTING FOR CLOUD RANSOMWARE DETECTION VIA SYSTEM AND API CALL ANALYSIS

Bhavesh Kumar Sharma; Kapil Shukla; Krishna Modi

doi:10.29121/digisecforensics.v2.i2.2025.69

Authors

Bhavesh Kumar Sharma National Forensic Sciences University
Dr. Kapil Shukla National Forensic Sciences University https://orcid.org/0000-0002-9078-9425
Dr. Krishna Modi National Forensic Sciences University

DOI:

https://doi.org/10.29121/digisecforensics.v2.i2.2025.69

Keywords:

Ransomware, Cloud Security, Behavioural Fingerprinting, System Calls, API Calls, Machine Learning

Abstract

The rapid spread of cloud computing has opened profit centres for ransomware attacks. Classical methods of detection are static in nature and signature-based have more and more difficulties with modern ransomware. Ransomware today employs obfuscation and misuses genuine administrative functions, especially in API-centric cloud environments. The paper delivers a structured literature review that focuses on various methodologies for ransomware detection advocating for the central importance of classifying and assessing attacks based on their actions. We argue that behavioural fingerprinting based on extensive studying of cloud workloads and API calls to the cloud control plane is the best approach for early and accurate detection of cloud-native ransomware. This review looks at what is present in the field of malware analysis, we present the fundamental elements of behavioural fingerprinting which we see across the ransomware attack cycle, also we note that which system and API calls are the main data sources for very accurate fingerprints. Also, we report on the machine learning and deep learning tools which we use to automate detection into which we are also putting forward the issue in the real-world setting. Performance issue. We look at what issues bring up as we apply these principles to cloud structures which are also home to new primary data sources in the form of cloud API logs for defenders. We end with a review of what we found out, we also put forth that there is a need for cloud specific data sets and explainable AI which are present research gaps and we also put forth what may prove to be very good areas for future research in what is very much a growing field of cyber security.

Author Biographies

Dr. Kapil Shukla, National Forensic Sciences University

Dr. Kapil Shukla is serving as an Assistant Professor at School of Forensic Science, National Forensic Sciences University, Gandhinagar, Gujarat. He is having 17 years of experience in academics. He has done Ph. D. in the field of Machine Learning. Dr. Kapil Shukla has cleared UGC NET and GSET examination for Lectureship. He is life member of CSI and ISTE.

Dr. Krishna Modi, National Forensic Sciences University

Dr. Krishna Modi is an academician with over eight years of experience in teaching, research, and academic development. She is NET and GATE qualified, with strong academic foundations that support her professional journey. Her core research interests include machine learning applications in lifestyle diseases and predictive healthcare. She is also developing her skills in cybersecurity and digital forensics to broaden expertise in emerging technological domains. She believe in continuous learning and strive to integrate new tools and technologies into teaching and research practices.

References

Abiodun, O. I., Alawida, M., Omolara, A. E., and Alabdulatif, A. (2022). Data Provenance for Cloud Forensic Investigations, Security, Challenges, Solutions and Future Perspectives: A Survey. Journal of King Saud University – Computer and Information Sciences, 34(10), 10217–10245. https://doi.org/10.1016/j.jksuci.2022.10.018 DOI: https://doi.org/10.1016/j.jksuci.2022.10.018

Aboaoja, F. A., Zainal, A., Ghaleb, F. A., Al-Rimy, B. A. S., Eisa, T. A. E., and Elnour, A. A. H. (2022). Malware Detection Issues, Challenges, and Future Directions: A Survey. Applied Sciences, 12(17), 8482. https://doi.org/10.3390/app12178482 DOI: https://doi.org/10.3390/app12178482

Afzaal, H., Imran, M., and Janjua, M. U. (2023). Formal Verification of Fraud-Resilience in a Crowdsourcing Consensus Protocol. Computers and Security, 131, 103290. https://doi.org/10.1016/j.cose.2023.103290 DOI: https://doi.org/10.1016/j.cose.2023.103290

Alexander, R. (2020). Reducing Threats by Using Bayesian Networks to Prioritize and Combine Defense in Depth Security Measures. Journal of Information Security, 11(3), 121–137. https://doi.org/10.4236/jis.2020.113008 DOI: https://doi.org/10.4236/jis.2020.113008

Alqahtani, A., and Sheldon, F. T. (2022). A Survey of Crypto Ransomware Attack Detection Methodologies: An Evolving Outlook. Sensors, 22(5), 1837. https://doi.org/10.3390/s22051837 DOI: https://doi.org/10.3390/s22051837

Al-Qudah, M., Ashi, Z., Alnabhan, M., and Al-Haija, Q. A. (2023). Effective One-Class Classifier Model for Memory Dump Malware Detection. Journal of Sensor and Actuator Networks, 12(1), 5. https://doi.org/10.3390/jsan12010005 DOI: https://doi.org/10.3390/jsan12010005

Alquwayzani, A., Aldossri, R., Frikha, M., and Alabdulatif, A. (2024). Prominent Security Vulnerabilities in Cloud Computing. International Journal of Advanced Computer Science and Applications, 15(2). DOI: https://doi.org/10.14569/IJACSA.2024.0150281

Alwashali, A. M. A., Rahman, N. A. A., and Ismail, N. (2021). A Survey of Ransomware as a Service (RAAS) and Methods to Mitigate the Attack. In Proceedings of the 14th International Conference on Developments in eSystems Engineering (DeSE). https://doi.org/10.1109/DeSE54285.2021.9719456 DOI: https://doi.org/10.1109/DeSE54285.2021.9719456

Avhankar, N. M. S. (2025). A Comprehensive Survey on Polymorphic Malware Analysis: Challenges, Techniques, and Future Directions. Communications on Applied Nonlinear Analysis, 32(9s), 2765–2776. https://doi.org/10.52783/cana.v32.4554 DOI: https://doi.org/10.52783/cana.v32.4554

Botacin, M., and Grégio, A. (2022). Why we Need a Theory of Maliciousness: Hardware Performance Counters in Security. In Lecture Notes in Computer Science (381–389). https://doi.org/10.1007/978-3-031-22390-7_22 DOI: https://doi.org/10.1007/978-3-031-22390-7_22

Brown, P., Brown, A., Gupta, M., and Abdelsalam, M. (2022). Online Malware Classification with System-Wide System Calls in Cloud Iaas Environments. IEEE Access, 10, 146–151. https://doi.org/10.1109/IRI54793.2022.00042 DOI: https://doi.org/10.1109/IRI54793.2022.00042

Canzanese, R., Mancoridis, S., and Kam, M. (2015). System Call-Based Detection of Malicious Processes. In 2015 IEEE International Conference on Quality, Reliability, and Security (QRS) (177–184). https://doi.org/10.1109/QRS.2015.26 DOI: https://doi.org/10.1109/QRS.2015.26

Chew, C. J. W., Kumar, V., Patros, P., and Malik, R. (2024). Real-Time System Call-Based Ransomware Detection. International Journal of Information Security, 23(3), 1839–1858. https://doi.org/10.1007/s10207-024-00819-x DOI: https://doi.org/10.1007/s10207-024-00819-x

Chhillar, K., Tomar, D., and Verma, A. (2025). A Hybrid Static–Dynamic Malware Analysis Framework Using Interpretable Neural Network. International Journal of Scientific Research in Engineering and Management, 9(9), 1–9. https://doi.org/10.55041/ijsrem52505 DOI: https://doi.org/10.55041/IJSREM52505

Damodaran, A., Di Troia, F., Visaggio, C. A., Austin, T. H., and Stamp, M. (2017). A Comparison of Static, Dynamic, and Hybrid Analysis for Malware Detection. Journal of Computer Virology and Hacking Techniques, 13(1), 1–12. https://doi.org/10.1007/s11416-015-0261-z DOI: https://doi.org/10.1007/s11416-015-0261-z

Demme, J., Maycock, M., Schmitz, J., Tang, A., Waksman, A., Sethumadhavan, S., and Stolfo, S. (2013). On the Feasibility of Online Malware Detection with Performance Counters. ACM SIGARCH Computer Architecture News, 41(3), 559–570. https://doi.org/10.1145/2508148.2485970 DOI: https://doi.org/10.1145/2508148.2485970

Faheem, M., Akram, U., Khan, I., Naqeeb, S., Shahzad, A., and Ullah, A. (2017). Cloud Computing Environment and Security Challenges: A Review. International Journal of Advanced Computer Science and Applications, 8(10). https://doi.org/10.14569/IJACSA.2017.081025 DOI: https://doi.org/10.14569/IJACSA.2017.081025

Genç, Z. A., Lenzini, G., and Sgandurra, D. (2019). Analysis and Mitigation of a Novel Sandbox-Evasion Technique. In Proceedings of the 2019 Central European Cybersecurity Conference (CECC) (1–4). https://doi.org/10.1145/3360664.3360673 DOI: https://doi.org/10.1145/3360664.3360673

Ghani, W. S. D. W. A. (2022). Exploring System Quality Elements of Mobile Marketplace Application for Textile Cyberpreneurs. Procedia Computer Science, 204, 354–361. https://doi.org/10.1016/j.procs.2022.08.043 DOI: https://doi.org/10.1016/j.procs.2022.08.043

Gillard, S., David, D. P., Mermoud, A., and Maillart, T. (2023). Efficient Collective Action for Tackling Time-Critical Cybersecurity Threats. Journal of Cybersecurity, 9(1), tyad021. https://doi.org/10.1093/cybsec/tyad021 DOI: https://doi.org/10.1093/cybsec/tyad021

Herath, J. D., Wakodikar, P. P., Yang, P., and Yan, G. (2022). CFGExplainer: Explaining Graph Neural Network-Based Malware Classification from Control Flow Graphs. In 2022 IEEE/IFIP International Conference on Dependable Systems and Networks (DSN) (401–412). https://doi.org/10.1109/DSN53405.2022.00028 DOI: https://doi.org/10.1109/DSN53405.2022.00028

Jinmei, G., Zakaria, W. N. W., Bisheng, W., and Ayub, M. A. B. (2024). DeeplabV3+ Model with CBAM and CSPM Attention Mechanism for Navel Orange Defects Segmentation. International Journal of Advanced Computer Science and Applications, 15(9). https://doi.org/10.14569/IJACSA.2024.0150919 DOI: https://doi.org/10.14569/IJACSA.2024.0150919

Kelly, D., Glavin, F. G., and Barrett, E. (2024). DoWNet—Classification of Denial-of-Wallet Attacks on Serverless Application Traffic. Journal of Cybersecurity, 10(1), tyae004. https://doi.org/10.1093/cybsec/tyae004 DOI: https://doi.org/10.1093/cybsec/tyae004

Ki, Y., Kim, E., and Kim, H. K. (2015). A Novel Approach to Detect Malware Based on API Call Sequence Analysis. International Journal of Distributed Sensor Networks, 11(6), 659101. https://doi.org/10.1155/2015/659101 DOI: https://doi.org/10.1155/2015/659101

Kim, R., Ryu, J., Kim, S., Lee, S., and Kim, S. (2025). Detecting Cryptojacking Containers Using eBPF-Based Security Runtime and Machine Learning. Electronics, 14(6), 1208. https://doi.org/10.3390/electronics14061208 DOI: https://doi.org/10.3390/electronics14061208

Ladisa, P., Plate, H., Martinez, M., and Barais, O. (2022). Taxonomy of Attacks on Open-Source Software Supply Chains. arXiv. https://doi.org/10.48550/arxiv.2204.04008 DOI: https://doi.org/10.1145/3560835.3564546

Lalejini, A., and Ofria, C. (2018). Evolving Event-Driven Programs with SignalGP. arXiv. https://doi.org/10.48550/arxiv.1804.05445 DOI: https://doi.org/10.1145/3205455.3205523

Li, C., Huang, L., He, D., Wen, Y., Liu, G., and Duan, L. (2025). FAASMT: Lightweight Serverless Framework for Intrusion Detection Using Merkle Tree and Task Inlining. arXiv. https://doi.org/10.48550/arxiv.2503.06532

Maidamwar, P. R., Lokulwar, P. P., and Kumar, K. (2023). Ensemble Learning Approach for Classification of Network Intrusion Detection in IoT Environment. International Journal of Computer Network and Information Security, 15(3), 30–36. https://doi.org/10.5815/ijcnis.2023.03.03 DOI: https://doi.org/10.5815/ijcnis.2023.03.03

Marbel, R., Cohen, Y., Dubin, R., Dvir, A., and Hajaj, C. (2024). Cloudy with a Chance of Anomalies: Dynamic Graph Neural Network for Early Detection of Cloud Services’ User Anomalies. arXiv. https://doi.org/10.48550/arxiv.2409.12726

Omar, M. (2022). Malware Anomaly Detection Using Local Outlier Factor Technique. In SpringerBriefs in Computer Science (37–48). https://doi.org/10.1007/978-3-031-15893-3_3 DOI: https://doi.org/10.1007/978-3-031-15893-3_3

Oppliger, R. (2017). Disillusioning Alice and Bob. IEEE Security and Privacy, 15(5), 82–84. https://doi.org/10.1109/MSP.2017.3681057 DOI: https://doi.org/10.1109/MSP.2017.3681057

Oz, H., Aris, A., Levi, A., and Uluagac, A. S. (2022). A Survey on Ransomware: Evolution, Taxonomy, and Defense Solutions. ACM Computing Surveys, 54(11s), 1–37. https://doi.org/10.1145/3514229 DOI: https://doi.org/10.1145/3514229

Poddar, A. K., and Rani, R. (2023). Hybrid Architecture Using CNN and LSTM for Image Captioning in Hindi Language. Procedia Computer Science, 218, 686–696. https://doi.org/10.1016/j.procs.2023.01.049 DOI: https://doi.org/10.1016/j.procs.2023.01.049

Sajid, M. S. I., Wei, J., and Al-Shaer, E. (2025). RANDeCepter: Real-time identification and Deterrence of Ransomware Attacks. arXiv. https://doi.org/10.48550/arxiv.2508.00293 DOI: https://doi.org/10.1109/CNS66487.2025.11194924

Sayadi, H., He, Z., Makrani, H. M., and Homayoun, H. (2024). Intelligent Malware Detection Based on Hardware Performance Counters: A Comprehensive Survey. IEEE Transactions on Dependable and Secure Computing, 1–10. https://doi.org/10.1109/ISQED60706.2024.10528369 DOI: https://doi.org/10.1109/ISQED60706.2024.10528369

Sihwail, R., Omar, K., and Ariffin, K. A. Z. (2018). A Survey on Malware Analysis Techniques: Static, Dynamic, Hybrid and Memory Analysis. International Journal on Advanced Science, Engineering and Information Technology, 8(4–2), 1662–1671. https://doi.org/10.18517/ijaseit.8.4-2.6827 DOI: https://doi.org/10.18517/ijaseit.8.4-2.6827

Sun, Z., Rao, Z., Chen, J., Xu, R., He, D., Yang, H., and Liu, J. (2019). An Opcode Sequences Analysis Method for Unknown Malware Detection. IEEE Access. https://doi.org/10.1145/3318236.3318255 DOI: https://doi.org/10.1145/3318236.3318255

Sy, C. Y., Maceda, L. L., Canon, M. J. P., and Flores, N. M. (2024). Beyond BERT: Exploring the Efficacy of RoBERTa and ALBERT in Supervised Multiclass Text Classification. International Journal of Advanced Computer Science and Applications, 15(3). https://doi.org/10.14569/IJACSA.2024.0150323 DOI: https://doi.org/10.14569/IJACSA.2024.0150323

Urooj, U., Al-Rimy, B. A. S., Zainal, A., Ghaleb, F. A., and Rassam, M. A. (2021). Ransomware Detection Using Dynamic Analysis and Machine Learning: A Survey and Research Directions. Applied Sciences, 12(1), 172. https://doi.org/10.3390/app12010172 DOI: https://doi.org/10.3390/app12010172

Yadav, P., Feraudo, A., Arief, B., Shahandashti, S. F., and Vassilakis, V. G. (2020). A Systematic Framework for Categorising IoT Device Fingerprinting Mechanisms. In Proceedings of the 4th ACM Workshop on IoT Security and Privacy (62–68). https://doi.org/10.1145/3417313.3429384 DOI: https://doi.org/10.1145/3417313.3429384

Zakaria, W. Z. A., Abdollah, M. F., Mohd, O., Yassin, S. M. W. M. S. M. M., and Ariffin, A. (2022). RENTAKA: A Novel Machine Learning framework for Crypto-Ransomware Pre-Encryption Detection. International Journal of Advanced Computer Science and Applications, 13(5). https://doi.org/10.14569/IJACSA.2022.0130545 DOI: https://doi.org/10.14569/IJACSA.2022.0130545

Zhang, M., Duan, Y., Yin, H., and Zhao, Z. (2014). Semantics-Aware Android Malware Classification Using Weighted Contextual API Dependency Graphs. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (CCS) (1105–1116). https://doi.org/10.1145/2660267.2660359 DOI: https://doi.org/10.1145/2660267.2660359