Skip to content

Add introduction of the web report to the docs #404

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 13 commits into
base: master
Choose a base branch
from
Open

Add introduction of the web report to the docs #404

wants to merge 13 commits into from

Conversation

zinwang
Copy link
Collaborator

@zinwang zinwang commented Oct 20, 2022
edited
Loading

Description

This PR aims to close Issue #400.

Document Changes

  • Add a new content, Report.
  • Add introduction of the Web Report to Report.

@codecov-commenter
Copy link

Codecov Report

Base: 78.38% // Head: 78.38% // No change to project coverage 👍

Coverage data is based on head (25e3d1a) compared to base (1beeed3).
Patch has no changes to coverable lines.

Additional details and impacted files 
@@           Coverage Diff           @@
##           master     #404   +/-   ##
=======================================
  Coverage   78.38%   78.38%           
=======================================
  Files          63       63           
  Lines        4760     4760           
=======================================
  Hits         3731     3731           
  Misses       1029     1029
Flag Coverage Δ
unittests 78.38% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

@haeter525 haeter525 self-assigned this Oct 20, 2022
@haeter525 haeter525 added documentation Improvements or additions to documentation pr-processing-state-05 labels Oct 20, 2022
@zinwang
Copy link
Collaborator Author

zinwang commented Oct 21, 2022
edited
Loading

Here is the content of report.rst.

Report

Web Report

You can analyze an APK sample and produce a beautiful summary report in HTML format through the following command.

quark -a Ahmyth.apk -s -w test.html

The meanings of the options:

  • -a for sample file input
  • -s for producing the summary report
  • -w for Web Report file output

Here is a demo of the Web Report.
And the page can divide into four parts:

  • Analysis Result
  • Sample Information
  • Radar Chart
  • Detected Crimes

Analysis Result

First, this part gives you the statistic of the crimes detected by Quark.

There are two sections in this part:

  1. A doughnut chart shows the ratio of the crimes with 100% confidence in all crimes detected.

  1. The statistic of the number of crimes in different confidence levels from 0% to 100%. And the higher the level is, the more we are sure the behavior is malicious.

Sample Information

Sample Information shows the basic information of the sample, including the file name, MD5 hash value, file size, and the labels of detected rules with 100% confidence.

Radar Chart

In this part,

  1. You can choose the labels you want as the dimensions to analyze in the radar chart. Or you can uncheck them all with the "Deselect all" button below.

  1. Then, the page will plot the chart. And the values on the axes are the confidences of crimes corresponding to the labels.

  1. It also lists the labels of the detected crimes that have 100% confidence.

Detected Crimes

In this part,

  1. It shows the rule numbers, crime descriptions, and the confidence of the crimes detected.

  1. You can find crimes by searching specific strings in the Crime Description with the searching field.

  2. Also, you can show crimes with specific confidence with the drop-down list.

@haeter525 haeter525 requested a review from 18z October 21, 2022 01:22
@haeter525
Copy link
Member

@18z Please review the document about the web report. Thank you!

@18z
Copy link
Member

18z commented Oct 21, 2022

Thank you @zinwang and @haeter525 !

I think we should ensure that in every picture we provide, the content must be clean and tidy.

Two suggestions:

  1. One picture one story. Make the picture has only one story and nothing but the story.
    For example

Instead of
sample_info

Use
Screen Shot 2022-10-21 at 9 34 05 AM

  1. Make the content centered, and the margins consistent.

@zinwang
Copy link
Collaborator Author

zinwang commented Oct 24, 2022

@18z
I have fixed the problem in the images and updated the preview above. Please have a look.
As for the typo and the light grid lines in the Radar Chart section,
I have created issue #405 to fix them.

@18z
Copy link
Member

18z commented Oct 26, 2022

hi @zinwang

I have a new idea. Let's just keep the picture of the whole report and remove all the others.
Because I think the snapshots are difficult to present nicely.

At the top of the document, we show the report directly.
Then, we describe each part of the report accordingly. I think this should be clear enough.

For example:

68747470733a2f2f692e696d6775722e636f6d2f684733416738742e706e67

Analysis Result

Description

Sample Information

Description

Radar Chart

Description

Label selection

Description

100% Confidence Crimes

Description

Search Crime

Description

Confidence Filter

Description

List of Rules and Crime

Description

@zinwang
Copy link
Collaborator Author

zinwang commented Nov 3, 2022
edited
Loading

@18z
Here is the modified version following the advice you gave above.
Please have a look. Thanks!

I edited it on 11/9.

Report

Web Report

This report aims to provide an easy-to-read overview of the analysis result of the APK file.

We can analyze an APK file and produce a reader-friendly summary report in HTML format with the command below.:

quark -a Ahmyth.apk -s -w test.html

The usage of the options:

-a     specifies an APK file
-s     for summary report
-w     generates the web report

The image below depicts the appearance of the generated Web Report. You can also check this demo

The followings are the detailed descriptions of the Web Report.

Doughnut Chart

The doughnut chart illustrates the proportion of the crimes with 100% confidence in all crimes detected in the sample. And the fraction number is shown directly in the center of the chart. The feature helps users understand the overall maliciousness in the sample file at first glance.

Statistics of Crimes

The statistics show the number of crimes in different confidence levels from 0% to 100%. The higher the level is, the more we are sure the behavior is malicious. And the icons of levels are separated by different colors. Here, we can know the distributions of the malice of the sample.

Sample Information

Sample Information exhibits the basic information of the sample, including the file name, MD5 hash value, file size, and the labels of detected rules with 100% confidence.

The first three pieces of information give identifications of the file. We can use them to find other analyses of the same file on the Internet, then compare the differences.

And with the labels of 100% confidence, we can roughly see the malicious behavior in the sample. Or we can compare them between different sample files.

Label Selecting Area

Detected labels are presented here. We can choose the labels we want as the dimensions in the radar chart by clicking the check box of each label. Then, the page will plot the radar chart according to our selection.

If we want to replot the chart, we can easily use the “unselect button” to uncheck all the labels.

Radar Chart

The radar chart presents relations of the confidence level between different labels. With a radar chart, we can quickly find outliers that differ significantly from other dimensions. And we can also use radar charts to compare the similarity between different samples.

Labels of 100% confidence

Here it lists the labels of the detected crimes that have 100% confidence again.

Search Crimes

We can use the Search Crime field to search crimes with specific strings in crime descriptions. It helps find particular crimes quickly.

Confidence Filter

We can filter crimes at specific confidence levels with Confidence Filter. For example, we can see only crime with 60% confidence if we set the filter to 60%.

Detected Crimes

The rule numbers, crime descriptions, and the confidence level of the detected crimes are shown in this section. With this information, we can know what the sample does and how malicious the behaviors are. If we want to dig into the detail of the crime, we can use rule numbers to look up Quark Rules.

@zinwang zinwang closed this Jan 20, 2024
@zinwang zinwang deleted the intro_of_the_web_report_to_the_docs branch January 20, 2024 13:47
@zinwang zinwang restored the intro_of_the_web_report_to_the_docs branch January 20, 2024 14:02
@zinwang zinwang reopened this Jan 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@18z 18z Awaiting requested review from 18z

At least 1 approving review is required to merge this pull request.

Assignees

@haeter525 haeter525

Labels
documentation Improvements or additions to documentation pr-processing-state-06
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@zinwang @codecov-commenter @haeter525 @18z