-
Notifications
You must be signed in to change notification settings - Fork 185
Add introduction of the web report to the docs #404
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add introduction of the web report to the docs #404
Conversation
codecov-commenter
commented
Oct 20, 2022
Codecov ReportBase: 78.38% // Head: 78.38% // No change to project coverage 👍
Additional details and impacted files@@ Coverage Diff @@ ## master #404 +/- ## ======================================= Coverage 78.38% 78.38% ======================================= Files 63 63 Lines 4760 4760 ======================================= Hits 3731 3731 Misses 1029 1029
Flags with carried forward coverage won't be shown. Click here to find out more. Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. ☔ View full report at Codecov. |
Here is the content of report.rst.
Report
Web Report
You can analyze an APK sample and produce a beautiful summary report in HTML format through the following command.
quark -a Ahmyth.apk -s -w test.html
The meanings of the options:
- -a for sample file input
- -s for producing the summary report
- -w for Web Report file output
Here is a demo of the Web Report.
And the page can divide into four parts:
- Analysis Result
- Sample Information
- Radar Chart
- Detected Crimes
Analysis Result
First, this part gives you the statistic of the crimes detected by Quark.
There are two sections in this part:
- A doughnut chart shows the ratio of the crimes with 100% confidence in all crimes detected.
- The statistic of the number of crimes in different confidence levels from 0% to 100%. And the higher the level is, the more we are sure the behavior is malicious.
Sample Information
Sample Information shows the basic information of the sample, including the file name, MD5 hash value, file size, and the labels of detected rules with 100% confidence.
Radar Chart
In this part,
- You can choose the labels you want as the dimensions to analyze in the radar chart. Or you can uncheck them all with the "Deselect all" button below.
- Then, the page will plot the chart. And the values on the axes are the confidences of crimes corresponding to the labels.
- It also lists the labels of the detected crimes that have 100% confidence.
Detected Crimes
In this part,
- It shows the rule numbers, crime descriptions, and the confidence of the crimes detected.
@18z Please review the document about the web report. Thank you!
Thank you @zinwang and @haeter525 !
I think we should ensure that in every picture we provide, the content must be clean and tidy.
Two suggestions:
- One picture one story. Make the picture has only one story and nothing but the story.
For example
Instead of
sample_info
Use
Screen Shot 2022年10月21日 at 9 34 05 AM
- Make the content centered, and the margins consistent.
hi @zinwang
I have a new idea. Let's just keep the picture of the whole report and remove all the others.
Because I think the snapshots are difficult to present nicely.
At the top of the document, we show the report directly.
Then, we describe each part of the report accordingly. I think this should be clear enough.
For example:
68747470733a2f2f692e696d6775722e636f6d2f684733416738742e706e67
Analysis Result
Description
Sample Information
Description
Radar Chart
Description
Label selection
Description
100% Confidence Crimes
Description
Search Crime
Description
Confidence Filter
Description
List of Rules and Crime
Description
@18z
Here is the modified version following the advice you gave above.
Please have a look. Thanks!
I edited it on 11/9.
Report
Web Report
This report aims to provide an easy-to-read overview of the analysis result of the APK file.
We can analyze an APK file and produce a reader-friendly summary report in HTML format with the command below.:
quark -a Ahmyth.apk -s -w test.html
The usage of the options:
-a specifies an APK file
-s for summary report
-w generates the web report
The image below depicts the appearance of the generated Web Report. You can also check this demo
The followings are the detailed descriptions of the Web Report.
Doughnut Chart
The doughnut chart illustrates the proportion of the crimes with 100% confidence in all crimes detected in the sample. And the fraction number is shown directly in the center of the chart. The feature helps users understand the overall maliciousness in the sample file at first glance.
Statistics of Crimes
The statistics show the number of crimes in different confidence levels from 0% to 100%. The higher the level is, the more we are sure the behavior is malicious. And the icons of levels are separated by different colors. Here, we can know the distributions of the malice of the sample.
Sample Information
Sample Information exhibits the basic information of the sample, including the file name, MD5 hash value, file size, and the labels of detected rules with 100% confidence.
The first three pieces of information give identifications of the file. We can use them to find other analyses of the same file on the Internet, then compare the differences.
And with the labels of 100% confidence, we can roughly see the malicious behavior in the sample. Or we can compare them between different sample files.
Label Selecting Area
Detected labels are presented here. We can choose the labels we want as the dimensions in the radar chart by clicking the check box of each label. Then, the page will plot the radar chart according to our selection.
If we want to replot the chart, we can easily use the "unselect button" to uncheck all the labels.
Radar Chart
The radar chart presents relations of the confidence level between different labels. With a radar chart, we can quickly find outliers that differ significantly from other dimensions. And we can also use radar charts to compare the similarity between different samples.
Labels of 100% confidence
Here it lists the labels of the detected crimes that have 100% confidence again.
Search Crimes
We can use the Search Crime field to search crimes with specific strings in crime descriptions. It helps find particular crimes quickly.
Confidence Filter
We can filter crimes at specific confidence levels with Confidence Filter. For example, we can see only crime with 60% confidence if we set the filter to 60%.
Detected Crimes
The rule numbers, crime descriptions, and the confidence level of the detected crimes are shown in this section. With this information, we can know what the sample does and how malicious the behaviors are. If we want to dig into the detail of the crime, we can use rule numbers to look up Quark Rules.
Uh oh!
There was an error while loading. Please reload this page.
Description
This PR aims to close Issue #400.
Document Changes