CN105740715A - A security assessment method and terminal equipment - Google Patents

Abstract

The embodiment of the invention discloses a security assessment method and terminal equipment, wherein the implementation of the method is taken as an example, and the method comprises the following steps: determining a target application, wherein the target application is an application needing security evaluation; counting the operation behaviors of the target application, and determining a risk coefficient corresponding to each operation behavior; the greater the operational behavior risk, the greater the risk factor; and calculating a comprehensive value of the risk coefficient corresponding to each operation behavior, and determining that the higher the comprehensive value is, the lower the safety is. The operation behaviors of the target application are counted, a comprehensive value of the target application is calculated according to the risk technology of each operation behavior, and the safety of the target application is determined according to the comprehensive value. The safety of the application can be automatically identified, the limitation that the virus killing operation is only limited aiming at viruses can be avoided, the application can be used in application scenes such as mobile phones and the like, and the misjudgment is reduced.

Description

A security assessment method and terminal equipment

technical field

The invention relates to the field of computer technology, in particular to a safety assessment method and terminal equipment.

Background technique

In the terminal device, the user installs various application software (usually referred to as application for short), such as instant messaging tool, office software, game client, browser, and so on. These applications may have certain risks and require a security assessment.

Take the most widely used terminal device——mobile phone, as an example; mobile phone has become an indispensable tool in people's life. Mobile phones are needed at any time in life and work. The use of mobile phones also involves people's various information and Privacy, for example: the user's geographic location can be determined through the mobile phone, and various information such as our social network, social tools, bank card number, transaction information, etc. are saved in the mobile phone. Therefore, the safety of mobile phone use has become an essential indicator for us.

Usually, security incidents occur on mobile phones because some downloaded application software contains malicious codes, such as Trojan horse programs and viruses.

In order to evaluate the security of the application, security software, such as various antivirus software, will be used to scan the application, determine the permissions required by the application, and prompt the permission required by the application during the installation process for risk notification. However, this method requires the user to have corresponding professional knowledge to distinguish whether the application is safe, and usually the application requires many permissions, which is difficult for the user to distinguish. Therefore, there is a need for a technical solution that can automatically complete risk notification. The current automatic risk notification solution can be: scan the application program for viruses through anti-virus software to determine whether the application software contains viruses, and if so, perform a risk reminder.

The technical solution of using antivirus software for virus scanning can reduce information and privacy leakage caused by viruses, but there are still many misjudgments in the scanning of mobile phone applications.

Contents of the invention

Embodiments of the present invention provide a security assessment method and terminal equipment, which are used to automatically identify the security of applications and reduce misjudgments.

On the one hand, an embodiment of the present invention provides a security assessment method, including:

Determining a target application, where the target application is an application that requires a security assessment;

Count the operation behavior of the target application, and determine the risk coefficient corresponding to each operation behavior; the riskier the operation behavior, the greater the risk coefficient;

Calculating an integrated value of the risk coefficients corresponding to each operation behavior, and determining that the higher the integrated value, the lower the safety.

In an optional implementation manner, the determining the target application includes:

determining the application as a target application after the application is initially installed or updated; or,

After obtaining the configured time, determine the target application at the configured time; or,

determine the target application while the terminal device is idle; or,

After receiving the security assessment instruction, determine the target application.

In an optional implementation manner, the determining the risk coefficient corresponding to each operation behavior includes:

The risk coefficient corresponding to each operation behavior is determined according to the preset corresponding relationship between the operation behavior and the risk coefficient.

In an optional implementation manner, before calculating the comprehensive value of the risk coefficient corresponding to each operation behavior, the method further includes:

Determine the weight value of each risk factor, the closer to the current time, the higher the weight value;

The calculating the comprehensive value of the risk coefficient corresponding to each operation behavior, and determining that the higher the comprehensive value is, the lower the safety includes:

Calculate the average value of the product of the risk coefficient corresponding to each operation behavior and the weight value, and determine that the higher the average value, the lower the safety.

In an optional implementation manner, after the statistics of the operation behavior of the target application, the method further includes:

Determine the target operation behavior, the target operation behavior includes the latest N times of operation behavior;

The determination of the risk coefficient corresponding to each operation behavior includes:

A risk coefficient corresponding to the target operation behavior is determined.

In an optional implementation manner, the calculating the comprehensive value of the risk coefficient corresponding to each operation behavior includes:

Calculate the median of the risk coefficients corresponding to each operation behavior, and use the median as the comprehensive value; or calculate the average value of the risk coefficients corresponding to each operation behavior, and use the average value as the comprehensive value. the above comprehensive value; or, calculate the risk coefficient corresponding to each operation behavior and the average reference value of the previous M risk levels, and calculate the sum of the average reference values corresponding to each operation behavior as the comprehensive value; or, calculate each operation behavior The risk coefficient corresponding to the operation behavior and the average reference value of the previous M risk levels, and the sum of the average reference values corresponding to each operation behavior is calculated as the comprehensive value.

In an optional implementation manner, the determining the target application includes:

If the source of the application in the terminal device is not confirmed as a safe source, then determine that the application is the target application;

Alternatively, if there is an unauthorized operation behavior among the operation behaviors of the application in the terminal device, it is determined that the application is the target application.

The second aspect of the embodiment of the present invention provides a terminal device, including:

an application determination unit, configured to determine a target application, where the target application is an application that requires security assessment;

A statistical unit, configured to count the operation behavior of the target application;

The coefficient determination unit is used to determine the risk coefficient corresponding to each operation behavior; the greater the risk of the operation behavior, the greater the risk coefficient;

A calculation unit, configured to calculate the comprehensive value of the risk coefficients corresponding to the various operation behaviors;

A security determination unit, configured to determine that the higher the integrated value, the lower the security.

In an optional implementation manner, the application determining unit is specifically configured to determine the application as a target application after the application is installed or updated for the first time; or,

After obtaining the configured time, determine the target application at the configured time; or,

determine the target application while the terminal device is idle; or,

After receiving the security assessment instruction, determine the target application.

In an optional implementation manner, the coefficient determination unit is specifically configured to determine a risk coefficient corresponding to each operation behavior according to a preset correspondence between operation behaviors and risk coefficients.

In an optional implementation manner, the terminal device further includes:

A weight determination unit, configured to determine the weight value of each risk coefficient before the calculation unit calculates the comprehensive value of the risk coefficient corresponding to each operation behavior, and the closer to the current time, the higher the weight value;

The calculation unit is specifically used to calculate the average value of the product of the risk coefficient corresponding to each operation behavior and the weight value;

The security determination unit is configured to determine that the higher the average value, the lower the security.

In an optional implementation manner, the statistics unit is further configured to determine the target operation behavior after counting the operation behavior of the target application, and the target operation behavior includes the latest N times of operation behavior;

The coefficient determination unit is specifically configured to determine the risk coefficient corresponding to the target operation behavior.

In an optional implementation manner, the calculation unit is specifically configured to calculate the median of the risk coefficients corresponding to the various operation behaviors, and use the median as the comprehensive value, or calculate the The average value of the risk coefficient corresponding to each operation behavior, using the average value as the comprehensive value; or, calculate the risk coefficient corresponding to each operation behavior and the average reference value of the previous M risk levels, and calculate the corresponding value of each operation behavior The sum of the average reference values is taken as the comprehensive value.

In an optional implementation manner, the application determining unit is specifically configured to determine that the application is a target application if the source of the application in the terminal device is not confirmed as a secure source;

Alternatively, if there is an unauthorized operation behavior among the operation behaviors of the application in the terminal device, it is determined that the application is the target application.

It can be seen from the above technical solutions that the embodiments of the present invention have the following advantages: the comprehensive value of the target application is calculated according to the risk technology of each operation behavior through statistical operation behavior of the target application, and the security of the target application is determined according to the comprehensive value. It can automatically identify the security of the application, and can avoid the limitation that the antivirus operation is limited to viruses. It can be used in application scenarios such as mobile phones, reducing misjudgment.

Description of drawings

In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings that need to be used in the description of the embodiments will be briefly introduced below. Obviously, the drawings in the following description are only some embodiments of the present invention. For Those of ordinary skill in the art can also obtain other drawings based on these drawings without any creative effort.

Fig. 1 is a schematic flow chart of the method of the embodiment of the present invention;

Fig. 2 is a schematic flow chart of the method of the embodiment of the present invention;

FIG. 3 is a schematic structural diagram of a terminal device according to an embodiment of the present invention;

FIG. 4 is a schematic structural diagram of a terminal device according to an embodiment of the present invention;

FIG. 5 is a schematic structural diagram of a terminal device according to an embodiment of the present invention;

FIG. 6 is a schematic structural diagram of a terminal device according to an embodiment of the present invention.

detailed description

In order to make the object, technical solution and advantages of the present invention clearer, the present invention will be further described in detail below in conjunction with the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, rather than all embodiments . Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts belong to the protection scope of the present invention.

The technical solution of using anti-virus software for virus scanning can reduce the information and privacy leakage caused by viruses, but for example: instant messaging software integrates various functions such as positioning and payment, and itself will perform operations within the corresponding scope of authority; these Software involving information security will not be judged as a virus, but it may leak user information and privacy. Therefore, the effect of virus scanning on user information and privacy protection is not good, and there are many misjudgments.

Based on the limitations of antivirus software, the embodiment of the present invention provides a security assessment method, as shown in Figure 1, including:

101: Determine the target application, where the above target application is an application that requires security assessment;

Whether an application needs to undergo security assessment can be carried out according to predetermined rules, for example: all applications installed on the terminal device need to undergo security assessment, or the application whose source cannot be determined to be safe is determined as the target application, or there is an over-authorization The application of the operational behavior is the target application, and so on. specific form

102: Count the operation behaviors of the above-mentioned target applications, and determine the risk coefficients corresponding to each operation behavior; the more risky the operation behavior is, the greater the risk coefficient;

In this embodiment, the operation behavior can be determined by capturing the operation instructions and execution steps executed by the application software, so as to determine what operation behavior the target application has performed; the operation behavior can include: reading data, writing data, sending data, etc. ; More specifically, for example: obtaining user location information, reading user contact information, uploading user contact information, writing data to third-party applications, and so on. Different operational behaviors have different risks, so they can correspond to different risk factors; for example, the application writes data within its own scope with low risk, while writing data to a third-party application has a high risk , the risk of reading the user's location information is also high, the risk of reading the user's contact information is also high, and the risk of uploading the user's contact information is even higher. The corresponding risk coefficient can be preset according to the level of risk. The preset method can be built in the system, set by the user, or downloaded from the server and stored locally. The specific preset form of the present invention Examples are not uniquely limited.

It should also be noted that, in order to more accurately determine the security of the target application, the operation behaviors counted here can be all the operation behaviors of the target application. If some operation behaviors that should be counted are intentionally omitted, it can be considered as an improvement. inferior.

103: Calculate the comprehensive value of the risk coefficients corresponding to the above-mentioned operation behaviors, and determine that the higher the above-mentioned comprehensive value, the lower the safety.

In this embodiment, the integrated value of the risk coefficient is a value calculated by using multiple risk coefficients. Since the integrated value is used to determine safety, and the higher the integrated value, the lower the safety, so the overall risk coefficient is higher The lower the security should be, based on this, those skilled in the art can design a reasonable calculation method, and the calculation method here should not be understood as any calculation method. The specific calculation method can be such as: the average value of all risk coefficients, the weighted average value of risk coefficients, the average value of the remaining risk coefficients after removing the mutation risk coefficients, the average value of nearly N risk coefficients, etc.; the embodiment of the present invention There is no unique restriction on the specific algorithm.

After the security of the target application is determined, a prompt can be given; for example, the security of all applications can be displayed in a list, and a prompt message can be sent separately after a certain target application is determined to be dangerous. After the security of the target application is determined, there is no unique limitation if the embodiment of the present invention is used.

The embodiment of the present invention also provides an example of the starting method of determining the target application, that is, the starting condition of the security assessment, as follows: the above-mentioned determining the target application includes:

After the application is installed or updated for the first time, the above-mentioned application is determined as the target application; or,

After obtaining the configured time, determine the target application at the above configured time; or,

determine the target application while the terminal device is idle; or,

After receiving the security assessment instruction, determine the target application.

It should be noted that triggering the security assessment process in other ways will not affect the implementation of the embodiment of the present invention, so the above examples should not be construed as a unique limitation on the embodiment of the present invention.

The embodiment of the present invention also provides an example of how to determine the risk coefficient, which is as follows: the above determination of the risk coefficient corresponding to each operation behavior includes:

The risk coefficient corresponding to each operation behavior is determined according to the preset corresponding relationship between the operation behavior and the risk coefficient.

It should be noted that the preset method can be built in the system, set by the user, or downloaded from the server and stored locally, and the specific preset form is not uniquely limited in this embodiment of the present invention.

In the embodiment of the present invention, the risk coefficient of worrying behavior can be preset, and the weight of the risk coefficient can be further combined with the local actual situation, for example: in order of time, those historical data with a longer time can use relatively smaller weights , with a relatively recent time using a larger weight, specifically as follows: Before calculating the comprehensive value of the risk coefficients corresponding to the above-mentioned operation behaviors, the above-mentioned method also includes:

Determine the weight value of each risk factor, the closer to the current time, the higher the weight value;

The above-mentioned calculation of the comprehensive value of the risk coefficient corresponding to each of the above-mentioned operational behaviors, and determining that the higher the above-mentioned comprehensive value is, the lower the safety includes:

Calculate the average value of the product of the risk coefficient and the weight value corresponding to each of the above operation behaviors, and determine that the higher the above average value, the lower the safety.

In this embodiment, by setting the weight value, the security calculation can be closer to the current security, the influence of historical data can be reduced, and the degree of consistency between the security and the current security of the application can be improved.

This embodiment also provides an implementation solution for narrowing the statistical scope, which is specifically as follows: after the above-mentioned operation behavior of the above-mentioned target application is counted, the above-mentioned method further includes:

Determine the target operation behavior, the above target operation behavior includes the latest N times of operation behavior;

The above-mentioned determination of the risk coefficient corresponding to each operation behavior includes:

Determine the risk factor corresponding to the above target operation behavior.

In this embodiment, by restricting to the latest N operations, the statistics can be reduced, and the security calculation can be closer to the current security, reducing the impact of historical data, and improving the consistency between the security and the current security of the application. If more than N operations have been counted, the excess part can be removed, or the weight corresponding to the risk coefficient of the excess operation behavior can be set to 0. The above-mentioned N is used to measure the number of operational behaviors, so it must be a natural number greater than or equal to 1. In addition, in order to increase the statistical sampling amount and realize accurate risk assessment, N can be set to a larger value. What specific value is used in the present invention Examples are not uniquely limited.

The embodiment of the present invention also provides a specific implementation scheme for calculating the comprehensive value, which is as follows: the calculation of the comprehensive value of the risk coefficient corresponding to the above-mentioned operation behaviors includes:

Calculate the median of the risk coefficients corresponding to the above-mentioned various operational behaviors, and use the above-mentioned median as the above-mentioned comprehensive value, or calculate the average value of the risk coefficients corresponding to the above-mentioned various operational behaviors, and use the above-mentioned average value as the above-mentioned comprehensive value; or, Calculate the risk coefficient corresponding to each of the above operation behaviors and the average reference value of the previous M risk levels, and calculate the sum of the average reference values corresponding to each operation behavior as the above comprehensive value.

In this embodiment, the integrated value of the risk coefficient is a value calculated by using multiple risk coefficients. Since the integrated value is used to determine safety, and the higher the integrated value, the lower the safety, so the overall risk coefficient is higher The lower the security should be, based on this, those skilled in the art can design a reasonable calculation method, and the calculation method here should not be understood as any calculation method. Therefore, the above calculation method is used as an example of the embodiment of the present invention, and should not be understood as a unique limitation on the embodiment of the present invention.

This embodiment also provides a method for determining the target application. For some applications, the source is safe, and the user does not download it from a place where the safety cannot be determined, so its safety can be determined; the safe source here, Including the source of the installation file, the source of the updated content, and the source of the data modification, etc.; there are also some applications whose operation behavior is authorized and reasonable operation, such as: navigation software obtains user location information, instant messaging software performs contact backup and uploads user Contact information, etc. These operations may not be considered as dangerous operations. In the case that the application does not have any operation that is considered to be dangerous, it is not necessary to count these applications. The default is safe. The details are as follows: The above-mentioned determination of the target application include:

If the source of the application in the terminal device is not confirmed as a safe source, then determine the above application as the target application;

Alternatively, if there is an unauthorized operation behavior among the operation behaviors of the applications in the terminal device, it is determined that the above application is the target application.

This embodiment can reduce the number of target applications, thereby reducing the resources occupied by security evaluation.

Based on the above description, the embodiment of the present invention also provides a specific implementation scheme for security assessment of applications in the mobile phone by taking the mobile phone as an example, as shown in Figure 2, which specifically includes the following parts:

201: When the user needs to evaluate the security level of the application, start the security evaluation mechanism.

Here, the security assessment time for the application may be when the user has just downloaded the application, or when the terminal device is idle, or the time set by the user, or the time of the assessment instruction sent by the server, which is not specifically limited.

202: Obtain all the operation behaviors of the application, evaluate the safety level of each operation behavior according to preset rules, and obtain the risk level or index of each operation behavior.

The preset rules can be set automatically by the server, or set by the user themselves, such as evaluating based on the built-in correspondence table or evaluating based on the conclusions of user data collected by the server;

For example, it is obtained that the risk level of accessing user location address is 5, the risk level of accessing user address book is 7, the risk level of uploading user data is 10, the risk level of accessing user account information is 15, etc.;

203: After obtaining the risk level of each operation behavior above, the risk level obtained above and the risk level of the latest N times may be averaged to obtain the final risk level.

In step 203, taking the average value is only one of the ways, and the weight of the last N times can also be used, for example, the closer the time is, the higher the weight, or, the lowest and highest values in the last N times can also be removed, and then the average value is taken, etc. In this way, recent data can be associated, and the influence of distant historical data on existing results can be discarded.

204: The sum of the risk levels of all operational behaviors is used as the risk level of the application.

This embodiment can automatically and accurately evaluate the security level of the application, so as to facilitate the user's reference.

The embodiment of the present invention also provides a terminal device, as shown in FIG. 3 , including:

An application determining unit 301, configured to determine a target application, where the target application is an application that requires security assessment;

A statistics unit 302, configured to make statistics on the operation behavior of the above-mentioned target application;

A coefficient determination unit 303, configured to determine the risk coefficient corresponding to each operation behavior; the greater the risk of the operation behavior, the greater the risk coefficient;

A calculation unit 304, configured to calculate the comprehensive value of the risk coefficients corresponding to the above-mentioned operation behaviors;

A security determining unit 305, configured to determine that the higher the above integrated value, the lower the security.

Whether an application needs to undergo security assessment can be carried out according to predetermined rules, for example: all applications installed on the terminal device need to undergo security assessment, or the application whose source cannot be determined as safe is determined as the target application, or there is an over-authorization The application of the operation behavior is the target application, and so on. specific form

In this embodiment, the operation behavior can be determined by capturing the operation instructions and execution steps executed by the application software, so as to determine what operation behavior the target application has performed; the operation behavior can include: reading data, writing data, sending data, etc. ; More specifically, for example: obtaining user location information, reading user contact information, uploading user contact information, writing data to third-party applications, and so on. Different operational behaviors have different risks, so they can correspond to different risk factors; for example, the application writes data within its own scope with low risk, while writing data to a third-party application has a high risk , the risk of reading the user's location information is also high, the risk of reading the user's contact information is also high, and the risk of uploading the user's contact information is even higher. The corresponding risk coefficient can be preset according to the level of risk. The preset method can be built in the system, set by the user, or downloaded from the server and stored locally. The specific preset form of the present invention Examples are not uniquely limited.

It should also be noted that, in order to more accurately determine the security of the target application, the operation behaviors counted here can be all the operation behaviors of the target application. If some operation behaviors that should be counted are intentionally omitted, it can be considered as an improvement. inferior.

In this embodiment, the integrated value of the risk coefficient is a value calculated by using multiple risk coefficients. Since the integrated value is used to determine safety, and the higher the integrated value, the lower the safety, so the overall risk coefficient is higher The lower the security should be, based on this, those skilled in the art can design a reasonable calculation method, and the calculation method here should not be understood as any calculation method. The specific calculation method can be such as: the average value of all risk coefficients, the weighted average value of risk coefficients, the average value of the remaining risk coefficients after removing the mutation risk coefficients, the average value of nearly N risk coefficients, etc.; the embodiment of the present invention There is no unique restriction on the specific algorithm.

After the security of the target application is determined, a prompt can be given; for example, the security of all applications can be displayed in a list, and a prompt message can be sent separately after a certain target application is determined to be dangerous. After the security of the target application is determined, there is no unique limitation if the embodiment of the present invention is used.

The embodiment of the present invention also provides an example of determining the starting method of the target application, that is, the starting condition of the security assessment, as follows: the above-mentioned application determining unit 301 is specifically used to determine the above-mentioned application as the target after the application is installed or updated for the first time application; or,

After obtaining the configured time, determine the target application at the above configured time; or,

determine the target application while the terminal device is idle; or,

After receiving the security assessment instruction, determine the target application.

It should be noted that triggering the security assessment process in other ways will not affect the implementation of the embodiment of the present invention, so the above examples should not be construed as a unique limitation on the embodiment of the present invention.

The embodiment of the present invention also provides an example of how to determine the risk coefficient, specifically as follows: the above-mentioned coefficient determination unit 303 is specifically configured to determine the risk coefficient corresponding to each operation behavior according to the preset correspondence between the operation behavior and the risk coefficient.

It should be noted that the preset method can be built in the system, set by the user, or downloaded from the server and stored locally, and the specific preset form is not uniquely limited in this embodiment of the present invention.

In the embodiment of the present invention, the risk coefficient of worrying behavior can be preset, and the weight of the risk coefficient can be further combined with the local actual situation, for example: in order of time, those historical data with a longer time can use relatively smaller weights , the ones with a relatively recent time use a larger weight, specifically as follows: Further, as shown in Figure 4, the above-mentioned terminal equipment also includes:

The weight determination unit 401 is configured to determine the weight value of each risk coefficient before the calculation unit 304 calculates the comprehensive value of the risk coefficients corresponding to the above operation behaviors, and the closer to the current time, the higher the weight value;

The calculation unit 304 is specifically used to calculate the average value of the product of the risk coefficient and the weight value corresponding to each of the above operation behaviors;

The security determination unit 305 is configured to determine that the higher the average value is, the lower the security is.

In this embodiment, by setting the weight value, the security calculation can be closer to the current security, the influence of historical data can be reduced, and the degree of consistency between the security and the current security of the application can be improved.

This embodiment also provides an implementation solution for narrowing the statistical range, which is specifically as follows: further, the statistical unit 302 is further configured to determine the target operation behavior after counting the operation behavior of the target application, and the target operation behavior includes the latest N operation behavior;

The above coefficient determination unit 303 is specifically configured to determine the risk coefficient corresponding to the above target operation behavior.

In this embodiment, by restricting to the latest N operations, the statistics can be reduced, and the security calculation can be closer to the current security, reducing the impact of historical data, and improving the consistency between the security and the current security of the application. If more than N operations have been counted, the excess part can be removed, or the weight corresponding to the risk coefficient of the excess operation behavior can be set to 0. The above-mentioned N is used to measure the number of operational behaviors, so it must be a natural number greater than or equal to 1. In addition, in order to increase the statistical sampling amount and realize accurate risk assessment, N can be set to a larger value. What specific value is used in the present invention Examples are not uniquely limited.

The embodiment of the present invention also provides a specific implementation scheme for calculating the comprehensive value, which is as follows: the above-mentioned calculation unit 304 is specifically used to calculate the median of the risk coefficients corresponding to the above-mentioned operation behaviors, and the above-mentioned median is used as the above-mentioned comprehensive value, Or, calculate the average value of the risk coefficients corresponding to the above-mentioned operation behaviors, and use the above-mentioned average value as the above-mentioned comprehensive value; or, calculate the risk coefficients corresponding to the above-mentioned operation behaviors and the average reference value of the previous M risk levels, and calculate the average value of each operation behavior The sum of the corresponding average reference values is taken as the above comprehensive value.

In this embodiment, the integrated value of the risk coefficient is a value calculated by using multiple risk coefficients. Since the integrated value is used to determine safety, and the higher the integrated value, the lower the safety, so the overall risk coefficient is higher The lower the security should be, based on this, those skilled in the art can design a reasonable calculation method, and the calculation method here should not be understood as any calculation method. Therefore, the above calculation method is used as an example of the embodiment of the present invention, and should not be understood as a unique limitation on the embodiment of the present invention.

This embodiment also provides a method for determining the target application. For some applications, the source is safe, and the user does not download it from a place where the safety cannot be determined, so its safety can be determined; the safe source here, Including the source of the installation file, the source of the updated content, and the source of the data modification, etc.; there are also some applications whose operation behavior is authorized and reasonable operation, such as: navigation software obtains user location information, instant messaging software performs contact backup and uploads user Contact information, etc., these operations may not be considered as dangerous operations. In the case that no operation is considered to be dangerous in the application, these applications may not be counted. The default is safe. The details are as follows: The above-mentioned application determination unit 301. Specifically, if the source of the application in the terminal device is not confirmed as a safe source, determine the above application as the target application;

Alternatively, if there is an unauthorized operation behavior among the operation behaviors of the applications in the terminal device, it is determined that the above application is the target application.

This embodiment can reduce the number of target applications, thereby reducing the resources occupied by security evaluation.

The embodiment of the present invention also provides another terminal device, as shown in FIG. 5 , including: a receiver 501, a transmitter 502, a processor 503, and a memory 504; wherein, the memory 504 can be used to provide data processing for the processor 503 required caching, or other data storage capabilities;

The above-mentioned processor 503 is configured to determine a target application, the above-mentioned target application is an application that requires a security assessment; count the operation behavior of the above-mentioned target application, and determine the risk coefficient corresponding to each operation behavior; the greater the risk of the operation behavior, the greater the risk coefficient ; Calculate the comprehensive value of the risk coefficients corresponding to the above-mentioned operation behaviors, and determine that the higher the above-mentioned comprehensive value, the lower the safety.

Whether an application needs to undergo security assessment can be carried out according to predetermined rules, for example: all applications installed on the terminal device need to undergo security assessment, or the application whose source cannot be determined as safe is determined as the target application, or there is an over-authorization The application of the operation behavior is the target application, and so on. specific form

In this embodiment, the operation behavior can be determined by capturing the operation instructions and execution steps executed by the application software, so as to determine what operation behavior the target application has performed; the operation behavior can include: reading data, writing data, sending data, etc. ; More specifically, for example: obtaining user location information, reading user contact information, uploading user contact information, writing data to third-party applications, and so on. Different operational behaviors have different risks, so they can correspond to different risk factors; for example, the application writes data within its own scope with low risk, while writing data to a third-party application has a high risk , the risk of reading the user's location information is also high, the risk of reading the user's contact information is also high, and the risk of uploading the user's contact information is even higher. The corresponding risk coefficient can be preset according to the level of risk. The preset method can be built in the system, set by the user, or downloaded from the server and stored locally. The specific preset form of the present invention Examples are not uniquely limited.

It should also be noted that, in order to more accurately determine the security of the target application, the operation behaviors counted here can be all the operation behaviors of the target application. If some operation behaviors that should be counted are intentionally omitted, it can be considered as an improvement. inferior.

In this embodiment, the integrated value of the risk coefficient is a value calculated by using multiple risk coefficients. Since the integrated value is used to determine safety, and the higher the integrated value, the lower the safety, so the overall risk coefficient is higher The lower the security should be, based on this, those skilled in the art can design a reasonable calculation method, and the calculation method here should not be understood as any calculation method. The specific calculation method can be such as: the average value of all risk coefficients, the weighted average value of risk coefficients, the average value of the remaining risk coefficients after removing the mutation risk coefficients, the average value of nearly N risk coefficients, etc.; the embodiment of the present invention There is no unique restriction on the specific algorithm.

After the security of the target application is determined, a prompt can be given; for example, the security of all applications can be displayed in a list, and a prompt message can be sent separately after a certain target application is determined to be dangerous. After the security of the target application is determined, there is no unique limitation if the embodiment of the present invention is used.

The embodiment of the present invention also provides an example of determining the starting method of the target application, that is, the starting condition of the security assessment, as follows: the above-mentioned processor 503 is used to determine the target application including:

After the application is installed or updated for the first time, the above-mentioned application is determined as the target application; or,

After obtaining the configured time, determine the target application at the above configured time; or,

determine the target application while the terminal device is idle; or,

After receiving the security assessment instruction, determine the target application.

It should be noted that triggering the security assessment process in other ways will not affect the implementation of the embodiment of the present invention, so the above examples should not be construed as a unique limitation on the embodiment of the present invention.

The embodiment of the present invention also provides an example of how to determine the risk coefficient, specifically as follows: the above-mentioned processor 503 is used to determine the risk coefficient corresponding to each operation behavior including:

The risk coefficient corresponding to each operation behavior is determined according to the preset corresponding relationship between the operation behavior and the risk coefficient.

It should be noted that the preset method can be built in the system, set by the user, or downloaded from the server and stored locally, and the specific preset form is not uniquely limited in this embodiment of the present invention.

In the embodiment of the present invention, the risk coefficient of worrying behavior can be preset, and the weight of the risk coefficient can be further combined with the local actual situation, for example: in order of time, those historical data with a longer time can use relatively smaller weights , and the ones with a relatively recent time use a larger weight, specifically as follows: further, the above-mentioned processor 503 is also used to determine the weight value of each risk coefficient before calculating the comprehensive value of the risk coefficient corresponding to each of the above-mentioned operation behaviors, which is different from the current The closer the time, the higher the weight value;

The above-mentioned processor 503 is used to calculate the comprehensive value of the risk coefficient corresponding to each of the above-mentioned operation behaviors, and determining that the higher the above-mentioned comprehensive value is, the lower the security includes:

It is used to calculate the average value of the product of the risk coefficient corresponding to each of the above operation behaviors and the weight value, and determine that the higher the above average value, the lower the safety.

In this embodiment, by setting the weight value, the security calculation can be closer to the current security, the influence of historical data can be reduced, and the degree of consistency between the security and the current security of the application can be improved.

This embodiment also provides an implementation solution for narrowing the statistical range, which is specifically as follows: further, the processor 503 is further configured to determine the target operation behavior after the above-mentioned statistics of the operation behavior of the target application, the target operation behavior includes the latest N times of operation behavior;

The processor 503 is configured to determine the risk coefficient corresponding to each operation behavior, including: determining the risk coefficient corresponding to the above target operation behavior.

In this embodiment, by restricting to the latest N operations, the statistics can be reduced, and the security calculation can be closer to the current security, reducing the impact of historical data, and improving the consistency between the security and the current security of the application. If more than N operations have been counted, the excess part can be removed, or the weight corresponding to the risk coefficient of the excess operation behavior can be set to 0. The above-mentioned N is used to measure the number of operational behaviors, so it must be a natural number greater than or equal to 1. In addition, in order to increase the statistical sampling amount and realize accurate risk assessment, N can be set to a larger value. What specific value is used in the present invention Examples are not uniquely limited.

The embodiment of the present invention also provides a specific implementation scheme for calculating the comprehensive value, which is as follows: the above-mentioned processor 503 is used to calculate the comprehensive value of the risk coefficient corresponding to the above-mentioned various operation behaviors, including: used to calculate the risk corresponding to the above-mentioned various operation behaviors For the median of the coefficients, the above-mentioned median is used as the above-mentioned comprehensive value; or, the average value of the risk coefficients corresponding to the above-mentioned operation behaviors is calculated, and the above-mentioned average value is used as the above-mentioned comprehensive value; or, the risk corresponding to the above-mentioned operation behaviors is calculated coefficient and the average reference value of the previous M risk levels, and calculate the sum of the average reference values corresponding to each operation behavior as the above comprehensive value; or, calculate the risk coefficient corresponding to each of the above operation behaviors and the average reference value of the previous M risk levels, The sum of the average reference values corresponding to each operation behavior is calculated as the above comprehensive value.

In this embodiment, the integrated value of the risk coefficient is a value calculated by using multiple risk coefficients. Since the integrated value is used to determine safety, and the higher the integrated value, the lower the safety, so the overall risk coefficient is higher The lower the security should be, based on this, those skilled in the art can design a reasonable calculation method, and the calculation method here should not be understood as any calculation method. Therefore, the above calculation method is used as an example of the embodiment of the present invention, and should not be understood as a unique limitation on the embodiment of the present invention.

This embodiment also provides a method for determining the target application. For some applications, the source is safe, and the user does not download it from a place where the safety cannot be determined, so its safety can be determined; the safe source here, Including the source of the installation file, the source of the updated content, and the source of the data modification, etc.; there are also some applications whose operation behavior is authorized and reasonable operation, such as: navigation software obtains user location information, instant messaging software performs contact backup and uploads user Contact information, etc., these operations may not be considered as dangerous operations, and in the case that no dangerous operations occur in the application, these applications may not be counted, and the default is safe, as follows: the above-mentioned processor 503 , used to determine the target application includes:

If the source of the application in the terminal device is not confirmed as a safe source, then determine the above application as the target application;

Alternatively, if there is an unauthorized operation behavior among the operation behaviors of the applications in the terminal device, it is determined that the above application is the target application.

This embodiment can reduce the number of target applications, thereby reducing the resources occupied by security evaluation.

The embodiment of the present invention also provides another terminal device, as shown in FIG. 6 , for the sake of illustration, only the parts related to the embodiment of the present invention are shown, and the specific technical details are not disclosed. Please refer to the Methods section for the examples of the present invention. The terminal can be any terminal device including mobile phone, tablet computer, PDA (Personal Digital Assistant, personal digital assistant), POS (Point of Sales, sales terminal), vehicle-mounted computer, etc. Taking the terminal as a mobile phone as an example:

FIG. 6 shows a block diagram of a partial structure of a mobile phone related to the terminal provided by the embodiment of the present invention. Referring to FIG. 6, the mobile phone includes: a radio frequency (RadioFrequency, RF) circuit 610, a memory 620, an input unit 630, a display unit 640, a sensor 650, an audio circuit 660, a wireless fidelity (wirelessfidelity, WiFi) module 670, a processor 680, and Power supply 690 and other components. Those skilled in the art can understand that the structure of the mobile phone shown in FIG. 6 does not constitute a limitation to the mobile phone, and may include more or less components than shown in the figure, or combine some components, or arrange different components.

The following is a specific introduction to each component of the mobile phone in conjunction with Figure 6:

The RF circuit 610 can be used for sending and receiving information or receiving and sending signals during a call. In particular, after receiving the downlink information from the base station, it is processed by the processor 680; in addition, the designed uplink data is sent to the base station. Generally, the RF circuit 610 includes, but is not limited to, an antenna, at least one amplifier, a transceiver, a coupler, a low noise amplifier (Low Noise Amplifier, LNA), a duplexer, and the like. In addition, RF circuitry 610 may also communicate with networks and other devices via wireless communications. The above-mentioned wireless communication can use any communication standard or protocol, including but not limited to Global System of Mobile Communication (Global System of Mobile Communication, GSM), General Packet Radio Service (General Packet Radio Service, GPRS), Code Division Multiple Access (Code Division Multiple Access, CDMA), broadband code division multiple Address (WidebandCodeDivisionMultipleAccess, WCDMA), Long Term Evolution (LongTermEvolution, LTE), email, Short Message Service (ShortMessagingService, SMS), etc.

The memory 620 can be used to store software programs and modules, and the processor 680 executes various functional applications and data processing of the mobile phone by running the software programs and modules stored in the memory 620 . The memory 620 can mainly include a program storage area and a data storage area, wherein the program storage area can store an operating system, at least one application program required by a function (such as a sound playback function, an image playback function, etc.); Data created by the use of mobile phones (such as audio data, phonebook, etc.), etc. In addition, the memory 620 may include a high-speed random access memory, and may also include a non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid-state storage devices.

The input unit 630 can be used to receive input numbers or character information, and generate key signal input related to user settings and function control of the mobile phone. Specifically, the input unit 630 may include a touch panel 631 and other input devices 632 . The touch panel 631, also referred to as a touch screen, can collect the user's touch operations on or near it (for example, the user uses any suitable object or accessory such as a finger or a stylus on the touch panel 631 or near the touch panel 631). operation), and drive the corresponding connection device according to the preset program. Optionally, the touch panel 631 may include two parts, a touch detection device and a touch controller. Among them, the touch detection device detects the user's touch orientation, and detects the signal brought by the touch operation, and transmits the signal to the touch controller; the touch controller receives the touch information from the touch detection device, converts it into contact coordinates, and sends it to the to the processor 680, and can receive and execute commands sent by the processor 680. In addition, the touch panel 631 can be implemented in various types such as resistive, capacitive, infrared, and surface acoustic wave. In addition to the touch panel 631 , the input unit 630 may also include other input devices 632 . Specifically, other input devices 632 may include, but are not limited to, one or more of physical keyboards, function keys (such as volume control keys, switch keys, etc.), trackballs, mice, joysticks, and the like.

The display unit 640 may be used to display information input by or provided to the user and various menus of the mobile phone. The display unit 640 may include a display panel 641. Optionally, the display panel 641 may be configured in the form of a Liquid Crystal Display (Liquid Crystal Display, LCD), an Organic Light-Emitting Diode (Organic Light-Emitting Diode, OLED), or the like. Further, the touch panel 631 may cover the display panel 641, and when the touch panel 631 detects a touch operation on or near it, it transmits to the processor 680 to determine the type of the touch event, and then the processor 680 determines the type of the touch event according to the The type provides a corresponding visual output on the display panel 641 . Although in FIG. 6, the touch panel 631 and the display panel 641 are used as two independent components to realize the input and input functions of the mobile phone, in some embodiments, the touch panel 631 and the display panel 641 can be integrated to form a mobile phone. Realize the input and output functions of the mobile phone.

The handset may also include at least one sensor 650, such as a light sensor, motion sensor, and other sensors. Specifically, the light sensor can include an ambient light sensor and a proximity sensor, wherein the ambient light sensor can adjust the brightness of the display panel 641 according to the brightness of the ambient light, and the proximity sensor can turn off the display panel 641 and/or when the mobile phone is moved to the ear. or backlight. As a kind of motion sensor, the accelerometer sensor can detect the magnitude of acceleration in various directions (generally three axes), and can detect the magnitude and direction of gravity when it is stationary, and can be used to identify the application of mobile phone posture (such as horizontal and vertical screen switching, related Games, magnetometer attitude calibration), vibration recognition related functions (such as pedometer, tap), etc.; as for other sensors such as gyroscope, barometer, hygrometer, thermometer, infrared sensor, etc. repeat.

The audio circuit 660, the speaker 661 and the microphone 662 can provide an audio interface between the user and the mobile phone. The audio circuit 660 can transmit the electrical signal converted from the received audio data to the loudspeaker 661, and the loudspeaker 661 converts it into an audio signal output; After being received, it is converted into audio data, and then the audio data is processed by the output processor 680, and then sent to another mobile phone through the RF circuit 610, or the audio data is output to the memory 620 for further processing.

WiFi is a short-distance wireless transmission technology. The mobile phone can help users send and receive emails, browse web pages, and access streaming media through the WiFi module 670, which provides users with wireless broadband Internet access. Although FIG. 6 shows a WiFi module 670, it can be understood that it is not an essential component of the mobile phone, and can be completely omitted as required without changing the essence of the invention.

The processor 680 is the control center of the mobile phone. It uses various interfaces and lines to connect various parts of the entire mobile phone. By running or executing software programs and/or modules stored in the memory 620, and calling data stored in the memory 620, execution Various functions and processing data of the mobile phone, so as to monitor the mobile phone as a whole. Optionally, the processor 680 may include one or more processing units; preferably, the processor 680 may integrate an application processor and a modem processor, wherein the application processor mainly processes operating systems, user interfaces, and application programs, etc. , the modem processor mainly handles wireless communications. It can be understood that the foregoing modem processor may not be integrated into the processor 680 .

The mobile phone also includes a power supply 690 (such as a battery) for supplying power to various components. Preferably, the power supply can be logically connected to the processor 680 through the power management system, so as to realize functions such as managing charging, discharging, and power consumption management through the power management system.

Although not shown, the mobile phone may also include a camera, a Bluetooth module, etc., which will not be repeated here.

In the embodiment of the present invention, the processor 680 included in the terminal also has the following functions:

As shown in FIG. 6 , the terminal device only shows the parts related to the embodiment of the present invention for convenience of description. For specific technical details not disclosed, please refer to the method part of the embodiment of the present invention. The terminal can be any terminal device including mobile phone, tablet computer, PDA (Personal Digital Assistant, personal digital assistant), POS (Point of Sales, sales terminal), vehicle-mounted computer, etc. Taking the terminal as a mobile phone as an example:

FIG. 6 shows a block diagram of a partial structure of a mobile phone related to the terminal provided by the embodiment of the present invention. Referring to FIG. 6, the mobile phone includes: a radio frequency (RadioFrequency, RF) circuit 610, a memory 620, an input unit 630, a display unit 640, a sensor 650, an audio circuit 660, a wireless fidelity (wirelessfidelity, WiFi) module 670, a processor 680, and Power supply 690 and other components. Those skilled in the art can understand that the structure of the mobile phone shown in FIG. 6 does not constitute a limitation to the mobile phone, and may include more or less components than shown in the figure, or combine some components, or arrange different components.

The following is a specific introduction to each component of the mobile phone in conjunction with Figure 6:

The RF circuit 610 can be used for sending and receiving information or receiving and sending signals during a call. In particular, after receiving the downlink information from the base station, it is processed by the processor 680; in addition, the designed uplink data is sent to the base station. Generally, the RF circuit 610 includes, but is not limited to, an antenna, at least one amplifier, a transceiver, a coupler, a low noise amplifier (Low Noise Amplifier, LNA), a duplexer, and the like. In addition, RF circuitry 610 may also communicate with networks and other devices via wireless communications. The above-mentioned wireless communication can use any communication standard or protocol, including but not limited to Global System of Mobile Communication (Global System of Mobile Communication, GSM), General Packet Radio Service (General Packet Radio Service, GPRS), Code Division Multiple Access (Code Division Multiple Access, CDMA), broadband code division multiple Address (WidebandCodeDivisionMultipleAccess, WCDMA), Long Term Evolution (LongTermEvolution, LTE), email, Short Message Service (ShortMessagingService, SMS), etc.

The memory 620 can be used to store software programs and modules, and the processor 680 executes various functional applications and data processing of the mobile phone by running the software programs and modules stored in the memory 620 . The memory 620 can mainly include a program storage area and a data storage area, wherein the program storage area can store an operating system, at least one application program required by a function (such as a sound playback function, an image playback function, etc.); Data created by the use of mobile phones (such as audio data, phonebook, etc.), etc. In addition, the memory 620 may include a high-speed random access memory, and may also include a non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid-state storage devices.

The input unit 630 can be used to receive input numbers or character information, and generate key signal input related to user settings and function control of the mobile phone. Specifically, the input unit 630 may include a touch panel 631 and other input devices 632 . The touch panel 631, also referred to as a touch screen, can collect the user's touch operations on or near it (for example, the user uses any suitable object or accessory such as a finger or a stylus on the touch panel 631 or near the touch panel 631). operation), and drive the corresponding connection device according to the preset program. Optionally, the touch panel 631 may include two parts, a touch detection device and a touch controller. Among them, the touch detection device detects the user's touch orientation, and detects the signal brought by the touch operation, and transmits the signal to the touch controller; the touch controller receives the touch information from the touch detection device, converts it into contact coordinates, and sends it to the to the processor 680, and can receive and execute commands sent by the processor 680. In addition, the touch panel 631 can be implemented in various types such as resistive, capacitive, infrared, and surface acoustic wave. In addition to the touch panel 631 , the input unit 630 may also include other input devices 632 . Specifically, other input devices 632 may include, but are not limited to, one or more of physical keyboards, function keys (such as volume control keys, switch keys, etc.), trackballs, mice, joysticks, and the like.

The display unit 640 may be used to display information input by or provided to the user and various menus of the mobile phone. The display unit 640 may include a display panel 641. Optionally, the display panel 641 may be configured in the form of a Liquid Crystal Display (Liquid Crystal Display, LCD), an Organic Light-Emitting Diode (Organic Light-Emitting Diode, OLED), or the like. Further, the touch panel 631 may cover the display panel 641, and when the touch panel 631 detects a touch operation on or near it, it transmits to the processor 680 to determine the type of the touch event, and then the processor 680 determines the type of the touch event according to the The type provides a corresponding visual output on the display panel 641 . Although in FIG. 6, the touch panel 631 and the display panel 641 are used as two independent components to realize the input and input functions of the mobile phone, in some embodiments, the touch panel 631 and the display panel 641 can be integrated to form a mobile phone. Realize the input and output functions of the mobile phone.

The handset may also include at least one sensor 650, such as a light sensor, motion sensor, and other sensors. Specifically, the light sensor can include an ambient light sensor and a proximity sensor, wherein the ambient light sensor can adjust the brightness of the display panel 641 according to the brightness of the ambient light, and the proximity sensor can turn off the display panel 641 and/or when the mobile phone is moved to the ear. or backlight. As a kind of motion sensor, the accelerometer sensor can detect the magnitude of acceleration in various directions (generally three axes), and can detect the magnitude and direction of gravity when it is stationary, and can be used to identify the application of mobile phone posture (such as horizontal and vertical screen switching, related Games, magnetometer attitude calibration), vibration recognition related functions (such as pedometer, tap), etc.; as for other sensors such as gyroscope, barometer, hygrometer, thermometer, infrared sensor, etc. repeat.

The audio circuit 660, the speaker 661 and the microphone 662 can provide an audio interface between the user and the mobile phone. The audio circuit 660 can transmit the electrical signal converted from the received audio data to the loudspeaker 661, and the loudspeaker 661 converts it into an audio signal output; After being received, it is converted into audio data, and then the audio data is processed by the output processor 680, and then sent to another mobile phone through the RF circuit 610, or the audio data is output to the memory 620 for further processing.

WiFi is a short-distance wireless transmission technology. The mobile phone can help users send and receive emails, browse web pages, and access streaming media through the WiFi module 670, which provides users with wireless broadband Internet access. Although FIG. 6 shows a WiFi module 670, it can be understood that it is not an essential component of the mobile phone, and can be completely omitted as required without changing the essence of the invention.

The processor 680 is the control center of the mobile phone. It uses various interfaces and lines to connect various parts of the entire mobile phone. By running or executing software programs and/or modules stored in the memory 620, and calling data stored in the memory 620, execution Various functions and processing data of the mobile phone, so as to monitor the mobile phone as a whole. Optionally, the processor 680 may include one or more processing units; preferably, the processor 680 may integrate an application processor and a modem processor, wherein the application processor mainly processes operating systems, user interfaces, and application programs, etc. , the modem processor mainly handles wireless communications. It can be understood that the foregoing modem processor may not be integrated into the processor 680 .

The mobile phone also includes a power supply 690 (such as a battery) for supplying power to various components. Preferably, the power supply can be logically connected to the processor 680 through the power management system, so as to realize functions such as managing charging, discharging, and power consumption management through the power management system.

Although not shown, the mobile phone may also include a camera, a Bluetooth module, etc., which will not be repeated here.

In the embodiment of the present invention, the function of the processor 680 included in the terminal may correspond to the function of the processor 503 in the foregoing embodiment, and the memory 620 may correspond to the function of the memory 504 . No more details here.

It is worth noting that in the above terminal device embodiments, the units included are only divided according to functional logic, but are not limited to the above division, as long as the corresponding functions can be realized; in addition, the specific functions of each functional unit The names are only for the convenience of distinguishing each other, and are not used to limit the protection scope of the present invention.

In addition, those of ordinary skill in the art can understand that all or part of the steps in the above-mentioned method embodiments can be completed by instructing related hardware through programs, and the corresponding programs can be stored in a computer-readable storage medium. The storage medium can be read-only memory, magnetic disk or optical disk and so on.

The above are only preferred specific implementation modes of the present invention, but the scope of protection of the present invention is not limited thereto. Any person skilled in the art can easily think of changes or substitutions within the technical scope disclosed in the embodiments of the present invention. , should be covered within the protection scope of the present invention. Therefore, the protection scope of the present invention should be determined by the protection scope of the claims.

Claims (14)

1. A safety assessment method, characterized in that it comprises: Determining a target application, where the target application is an application that requires a security assessment; Count the operation behavior of the target application, and determine the risk coefficient corresponding to each operation behavior; the riskier the operation behavior, the greater the risk coefficient; Calculating an integrated value of the risk coefficients corresponding to each operation behavior, and determining that the higher the integrated value, the lower the safety. 2. The method according to claim 1, wherein said determining the target application comprises: determining the application as a target application after the application is initially installed or updated; or, After obtaining the configured time, determine the target application at the configured time; or, determine the target application while the terminal device is idle; or, After receiving the security assessment instruction, determine the target application. 3. The method according to claim 1, wherein said determining the risk coefficient corresponding to each operation behavior comprises: The risk coefficient corresponding to each operation behavior is determined according to the preset corresponding relationship between the operation behavior and the risk coefficient. 4. The method according to claim 1, characterized in that, before calculating the comprehensive value of the risk coefficient corresponding to each operation behavior, the method further comprises: Determine the weight value of each risk factor, the closer to the current time, the higher the weight value; The calculating the comprehensive value of the risk coefficient corresponding to each operation behavior, and determining that the higher the comprehensive value is, the lower the safety includes: Calculate the average value of the product of the risk coefficient corresponding to each operation behavior and the weight value, and determine that the higher the average value, the lower the safety. 5. The method according to claim 1, characterized in that, after the statistics of the operation behavior of the target application, the method further comprises: Determine the target operation behavior, the target operation behavior includes the latest N times of operation behavior; The determination of the risk coefficient corresponding to each operation behavior includes: A risk coefficient corresponding to the target operation behavior is determined. 6. The method according to claim 1, wherein the calculation of the comprehensive value of the risk coefficient corresponding to each operation behavior comprises: Calculate the median of the risk coefficients corresponding to each operation behavior, and use the median as the comprehensive value; or calculate the average value of the risk coefficients corresponding to each operation behavior, and use the average value as the comprehensive value. the above comprehensive value; or, calculate the risk coefficient corresponding to each operation behavior and the average reference value of the previous M risk levels, and calculate the sum of the average reference values corresponding to each operation behavior as the comprehensive value; or, calculate each operation behavior The risk coefficient corresponding to the operation behavior and the average reference value of the previous M risk levels, and the sum of the average reference values corresponding to each operation behavior is calculated as the comprehensive value. 7. The method according to any one of claims 1, 3, 4, 5 and 6, wherein said determining the target application comprises: If the source of the application in the terminal device is not confirmed as a safe source, then determine that the application is the target application; Alternatively, if there is an unauthorized operation behavior among the operation behaviors of the application in the terminal device, it is determined that the application is the target application. 8. A terminal device, characterized in that it comprises: an application determination unit, configured to determine a target application, where the target application is an application that requires security assessment; A statistical unit, configured to count the operation behavior of the target application; The coefficient determination unit is used to determine the risk coefficient corresponding to each operation behavior; the greater the risk of the operation behavior, the greater the risk coefficient; A calculation unit, configured to calculate the comprehensive value of the risk coefficients corresponding to the various operation behaviors; A security determination unit, configured to determine that the higher the integrated value, the lower the security. 9. The terminal device according to claim 8, characterized in that, The application determining unit is specifically configured to determine the application as a target application after the application is installed or updated for the first time; or, After obtaining the configured time, determine the target application at the configured time; or, determine the target application while the terminal device is idle; or, After receiving the security assessment instruction, determine the target application. 10. The terminal device according to claim 8, characterized in that, The coefficient determination unit is specifically configured to determine the risk coefficient corresponding to each operation behavior according to the preset corresponding relationship between the operation behavior and the risk coefficient. 11. The terminal device according to claim 8, further comprising: A weight determination unit, configured to determine the weight value of each risk coefficient before the calculation unit calculates the comprehensive value of the risk coefficient corresponding to each operation behavior, and the closer to the current time, the higher the weight value; The calculation unit is specifically used to calculate the average value of the product of the risk coefficient corresponding to each operation behavior and the weight value; The security determination unit is configured to determine that the higher the average value, the lower the security. 12. The terminal device according to claim 8, characterized in that, The statistical unit is further configured to determine the target operation behavior after counting the operation behavior of the target application, and the target operation behavior includes the latest N times of operation behavior; The coefficient determination unit is specifically configured to determine the risk coefficient corresponding to the target operation behavior. 13. The terminal device according to claim 8, characterized in that, The calculation unit is specifically configured to calculate the median of the risk coefficients corresponding to the various operational behaviors, and use the median as the comprehensive value, or calculate the average value of the risk coefficients corresponding to the various operational behaviors , using the average value as the comprehensive value; or, calculate the risk coefficient corresponding to each operation behavior and the average reference value of the previous M risk levels, and calculate the sum of the average reference values corresponding to each operation behavior as the comprehensive value value. 14. The terminal device according to any one of claims 8, 10, 11, 12 and 13, characterized in that, The application determination unit is specifically configured to determine that the application is a target application if the source of the application in the terminal device is not confirmed as a safe source; Alternatively, if there is an unauthorized operation behavior among the operation behaviors of the application in the terminal device, it is determined that the application is the target application.