About Me

short bio
Joao Ceron is a network security researcher engineer at SIDN labs. He has a degree in computer science, a masters degree in computer security and a Ph.D. in computer engineering. He has worked for more than 10 years in computer emergency teams dealing with real-world attacks and fraudsters. Recently, he was commissioned by the Ministry of Justice and Security in the Netherlands to investigate the vulnerability of critical infrastructure equipment.


My background is in applied network security research, in particular, to investigate malware behaviors. In my master s degree, I studied botnet tracking mechanisms using network flows and malware analysis. You can find my master's thesis [here] (in Portuguese only), however, we have published few papers with the result of that research, see papers section.
During my Ph.D. I developed a malware analysis environment based on SDN (Software-Defined Networking). The idea is to manipulate the flows originated from malware to triggers unseen malware behaviors. You can find my Ph.D. thesis [here] (also in Portuguese), if you are interested check it out the papers section that we published associated with this subject.

Besides my research background, I used to work as a Security Analyst at Brazilian National CERT where we handle computer security incidents associated with Brazilian network address space, including phishing, DDoS, malware, and misconfigured services used in amplification attacks.

Research

You can find a list of projects that I'm working on.

Concordia - DDoS Clearing House for Europe - Piloting a DDoS Clearing House for Europe
NoMore DDoS - Dutch anti-DDoS coalition is a partnership against DDoS attacks.
PAADDoS - Plannning for Anycast as Anti-DDoS [colaborator] - Perform applied research in Anycast services aiming to provide tools and recomendations for DNS operators.

SAND [ended 2020]
- Perform applied research in Anycast services aiming to provide tools and recomendations for DNS operators.
MARS [ended 2018] - Malware analysis system based on SDN
IoT malware investigation - Investigate IoT malware characteristics.
Online discoverability and vulnerabilities of ICS/SCADA devices in the Netherlands - Online discoverability and vulnerabilities a report to Dutch Ministry of Defence

Publications

Are Darknets All The Same? On Darknet Visibility for Security Monitoring.
Idilio Drago, Marco Mellia, Martino Trevisan and Francesca Soro (Politecnico di Torino, Italy); Jose Jair Santanna and João Ceron (University of Twente, The Netherlands)
2019 IEEE International Symposium on Local and Metropolitan Area Networks
Improving IoT Botnet Investigation Using an Adaptive Network Layer
João Marcelo Ceron; Klaus Steding-Jessen, Cristine Hoepers, Cíntia Borges Margi; Lisandro Zambenedetti Granville
2019 Threat Identification and Defence for Internet-of-Things - Sensors - MDPI AG, Basel, Switzerland
An sdn-based malware analysis solution
João Marcelo Ceron; Cíntia Borges Margi; Lisandro Zambenedetti Granville
2016 IEEE Symposium on Computers and Communication (ISCC)
MARS: From traffic containment to network reconfiguration in malware-analysis systems
João Marcelo Ceron, Cíntia Borges Margi, Lisandro Zambenedetti Granville
2017 Computer Networks: The International Journal of Computer and Telecommunications Networking - Elsevier
Botnet master detection using a mashup-based approach
Carlos Raniery P. dos Santos; Rafael Santos Bezerra; João Marcelo Ceron; Lisandro Zambenedetti Granville; Liane M. R. Tarouco
2010 International Conference on Network and Service Management
Anatomy of SIP Attacks
João Marcelo Ceron, Klaus Steding-Jessen, Cristine Hoeper
; login:: the magazine of USENIX & SAGE, 2012
On using mashups for composing network management applications
Carlos Raniery Paula dos Santos; Rafael Santos Bezerra; João Marcelo Ceron; Lisandro Zambenedetti Granville; Liane Margarida Rockenbach Tarouco
IEEE Communications Magazine Year: 2010, Volume: 48, Issue: 12
Identifying botnet communications using a mashup-based approach
Carlos Raniery P. dos Santos; Rafael Santos Bezerra; João Marcelo Ceron; Lisandro Zambenedetti Granville; Liane M. R. Tarouco
2011 7th Latin American Network Operations and Management Symposium
Honeypots as a security mechanism
Emerson Salvadori Virti, Liane Margarida Rockenbach Tarouco, Lisandro Zambenedetti Granville, Leandro Márcio Bertholdo,João Marcelo Ceron
MonAm (2006 set.: Tübingen, Germany). Proceedings of the IEEE/IST. Tubingen: IEEE, 200

Students

Dzul Dzulqarnain (Master) - IoT Botnet
Christodoulos Tziampazis (Bachelor) - Medical devices discoverability
Christian Scholten (Bachelor) - Characterizing low-cost routers attacks