Cloud　storage　provides　external　data　storage　services　by　combining　and　coordinating　different　types　of　devices　in　a　network　to　work　collectively.　However,　there　is　always　a　trust　relationship　between　users　and　service　providers,　therefore,　an　effective　security　auditing　of　cloud　data　and　operational　processes　is　necessary.　We　propose　a　trusted　cloud　framework　based　on　a　Cloud　Accountability　Life　Cycle　(CALC).　We　suggest　that　auditing　provenance　data　in　cloud　servers　is　a　practical　and　efficient　method　to　log　data,　being　relatively　stable　and　easy　to　collect　type　of　provenance　data.　Furthermore,　we　suggest　a　scheme　based　on　user　behaviour　(UB)　by　analysing　the　log　data　from　cloud　servers.　We　present　a　description　of　rules　for　a　UB　operating　system　log,　and　put　forward　an　association　rule　mining　algorithm　based　on　the　Long　Sequence　Frequent　Pattern　(LSFP)　to　extract　the　UB.　Finally,　the　results　of　our　experiment　prove　that　our　solution　can　be　implemented　to　track　and　forensically　inspect　the　data　leakage　in　an　efficient　manner　for　cloud　security　auditing.　©　2019,　University　of　Split.　All　rights　reserved.