A computer cloud storage data full life cycle encryption protection method

By assessing data sensitivity through machine learning and dynamically adjusting encryption strategies, combined with distributed key management and homomorphic encryption, a full lifecycle encryption protection system is constructed. This solves the problems of dynamic adaptability and lifecycle management of data security in cloud storage, and improves data security and availability.

CN121580412BActive Publication Date: 2026-07-14ANHUI AGRICULTURAL UNIVERSITY

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
ANHUI AGRICULTURAL UNIVERSITY
Filing Date
2025-11-07
Publication Date
2026-07-14

AI Technical Summary

Technical Problem

Existing cloud storage technologies lack dynamic and adaptive encryption strategies throughout the entire data lifecycle. Centralized key management is vulnerable to attacks, and imperfect data lifecycle management leads to threats such as unauthorized access, man-in-the-middle attacks, data tampering, and leakage when data is stored in the cloud.

Method used

Machine learning models are used to assess data sensitivity, dynamically select encryption algorithms and rounds, and combine distributed key management, homomorphic encryption technology, access control and lifecycle monitoring to build a full lifecycle encryption protection system.

Benefits of technology

It achieves full lifecycle security protection for data in the cloud, reduces the risk of key leakage, improves confidentiality, integrity and availability, and reduces management costs and compliance risks.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN121580412B_ABST
    Figure CN121580412B_ABST
Patent Text Reader

Abstract

The application provides a computer cloud storage data full life cycle encryption protection method, which has the characteristics of full life cycle coverage, dynamic adaptive encryption and modular collaborative management, wherein the data sensitivity is dynamically evaluated and the encryption parameters are adjusted through a context perception model, the accurate matching of encryption strength and security requirements is realized, and excessive encryption or insufficient security is avoided; distributed key management and homomorphic encryption technology are used to ensure the continuous safety of data in the transmission, storage and processing links, and reduce the risk of key leakage; through the integration of access control, life cycle monitoring and secure destruction modules, an end-to-end protection system is built, which can effectively prevent unauthorized access, data tampering and residual leakage threats, thereby significantly improving the confidentiality, integrity and availability of cloud storage data, while reducing management costs and compliance risks.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of data storage, and in particular to a method for encrypting and protecting computer cloud storage data throughout its entire lifecycle. Background Technology

[0002] With the rapid development and widespread application of cloud computing technology, data storage is gradually shifting from local storage to the cloud. Cloud storage, with its advantages of elastic scalability, low cost, and convenient access, has become the preferred solution for enterprises and individuals to process big data. Cloud computing platforms, through distributed architecture and virtualization technology, provide massive data storage and processing capabilities, and are widely used in finance, healthcare, government affairs, and the Internet of Things (IoT) and other fields.

[0003] However, when data is stored in the cloud, encryption protection is often only applied to a single stage, such as transmission or storage. For example, only SSL / TLS protocols are used to protect the transmission channel, or static encryption algorithms (such as AES) are applied only at the storage layer. This segmented encryption method cannot cover the entire lifecycle of data, from generation, transmission, storage, processing to destruction, leaving data exposed to potential risks in unencrypted stages. In existing technologies, cloud storage security mainly relies on traditional encryption methods and access control mechanisms, but these have many limitations: First, encryption strategies lack dynamic adaptability and cannot adjust encryption strength according to data sensitivity and context, resulting in wasted resources or insufficient security; second, centralized key management is prone to becoming a single point of failure, and the key generation and distribution process may be exploited by attackers; in addition, data often needs to be decrypted before processing, increasing the risk of leakage, while advanced technologies such as homomorphic encryption are limited in application due to high computational overhead; finally, data lifecycle management is imperfect, lacking effective monitoring and destruction mechanisms, which means that residual data may be recovered. The existence of these problems exposes cloud storage data to multiple threats, including unauthorized access, man-in-the-middle attacks, data tampering, and leakage. In particular, in industries with strict compliance requirements (such as GDPR and HIPAA), data security throughout its entire lifecycle has become a rigid requirement.

[0004] Therefore, there is an urgent need in this field to develop an encryption protection method and system that covers the entire data lifecycle, capable of dynamically adjusting encryption strategies, integrating key management, access control and security monitoring, to ensure that data is fully protected at every stage of cloud storage, thereby improving the overall security level. Summary of the Invention

[0005] The purpose of this invention is to provide a method for encrypting and protecting computer cloud storage data throughout its entire lifecycle, in order to solve the problems existing in the prior art.

[0006] To achieve the above objectives, the present invention provides the following solution:

[0007] This invention provides a method for full lifecycle encryption protection of computer cloud storage data, comprising the following steps:

[0008] S1. Receive raw data through the data ingestion module and extract metadata, which includes data type, data size, data source, data owner and timestamp;

[0009] S2. Based on the metadata, the context analysis module calculates the data sensitivity score using a machine learning model, wherein the machine learning model employs a logistic regression algorithm, and the formula is:

[0010] ;

[0011] in, These are feature vectors, derived from metadata. For the weight vector, This is the transpose of the weight vector. For bias terms;

[0012] S3. The encryption strategy engine dynamically selects the encryption algorithm and the number of encryption rounds based on the data sensitivity score, wherein the formula for calculating the number of encryption rounds is:

[0013] ;

[0014] in, To minimize the number of encryption rounds, The maximum number of encryption rounds, Indicates rounding down;

[0015] S4. The data encryption key is derived from the master key and context parameters through the key management module, wherein the context parameters include the data identifier, timestamp, and data sensitivity score, and the derivation formula is:

[0016] ;

[0017] in, Master key For context parameters;

[0018] S5. The original data is encrypted using the data encryption key and the number of encryption rounds by the encryption execution module to generate encrypted data. The encryption process includes block processing, initial permutation, and encryption round loop. The encryption round loop includes byte replacement, row shifting, column mixing, and round key addition operation.

[0019] S6. The encrypted data is transmitted to the secure storage module via the secure transmission module, and the TLS / SSL protocol is used to ensure secure transmission.

[0020] S7. The encrypted data is distributed and stored through a secure storage module, and metadata and access logs are recorded.

[0021] S8. Access control is performed on the encrypted data based on user attributes and permissions through the access control module, wherein the access decision formula is:

[0022] ;

[0023] in, The access authorization result is 1, indicating that access is allowed, and 0, indicating that access is denied. For user attributes, As weight, For the threshold;

[0024] S9. Monitor data status through the lifecycle management module and trigger re-encryption or secure destruction operations according to the policy;

[0025] S10. Securely delete the data and its key through the secure destruction module, using multiple overwrite or cryptographic erasure methods, and verify the destruction result through hash verification.

[0026] Preferably, in step S2, the training method for the machine learning model includes:

[0027] Using a labeled dataset, the loss function is optimized using gradient descent, as shown in the formula:

[0028] ;

[0029] in, For the sample size, For the first The true label of each sample For the first The prediction sensitivity score for each sample.

[0030] Preferably, in step S3, dynamically selecting the encryption algorithm includes:

[0031] When S < 0.3, use the AES-128 algorithm;

[0032] The AES-192 algorithm is used when 0.3 ≤ S < 0.7;

[0033] The AES-256 algorithm is used when S ≥ 0.7.

[0034] Preferably, in step S5, the initial permutation uses a permutation table P, which is dynamically generated based on data sensitivity scores, and the generation function formula is:

[0035] ;

[0036] in, The function generates random permutations using the data sensitivity score as a seed.

[0037] Preferably, in step S7, distributed storage includes storing encrypted data in blocks across multiple cloud storage nodes and dynamically adjusting the backup frequency based on the probability of corruption statistics, wherein the probability of corruption statistics are calculated through historical data analysis and mathematical models.

[0038] Preferably, in step S8, the access control module employs homomorphic encryption. The algorithm performs encrypted data calculations, and the encryption formula is as follows:

[0039] ;

[0040] in, As part of the public key, For plain text, It is a random number. This is the public key.

[0041] Preferably, in step S9, the data status includes creation, active, archived and destruction status, and the status transition is based on time strategy and access frequency strategy.

[0042] Preferably, in step S10, secure deletion includes repeatedly overwriting the storage location with random data and verifying the result using a secure destruction verification formula, which is:

[0043] ;

[0044] in, This is the data storage area.

[0045] This invention also provides a computer cloud storage data lifecycle encryption protection system for executing the above-described computer cloud storage data lifecycle encryption protection method, the system comprising:

[0046] The data ingestion module is used to receive raw data and extract metadata;

[0047] The context analysis module is used to calculate the data sensitivity score S based on metadata;

[0048] The encryption strategy engine is used to dynamically select the encryption algorithm and the number of encryption rounds based on the data sensitivity score S;

[0049] The key management module is used to generate, store, and manage data encryption keys;

[0050] The encryption execution module is used to encrypt data using a data encryption key and a number of encryption rounds;

[0051] A secure transmission module is used to ensure the security of encrypted data during transmission;

[0052] A secure storage module is used for distributed storage and management of encrypted data;

[0053] A security processing module is used to support homomorphic encryption computation;

[0054] The access control module is used to control data access based on user permissions;

[0055] The lifecycle management module is used to monitor data status and trigger encryption or destruction operations;

[0056] The secure destruction module is used to securely delete data and its keys.

[0057] Preferably, the modules in the system are connected via a central control bus to enable coordinated management of data flow and control flow.

[0058] The present invention achieves the following beneficial technical effects compared to the prior art:

[0059] This invention provides a method for full lifecycle encryption protection of computer cloud storage data, featuring full lifecycle coverage, dynamic adaptive encryption, and modular collaborative management. It achieves precise matching of encryption strength and security requirements by dynamically assessing data sensitivity and adjusting encryption parameters through a context-aware model, avoiding over-encryption or insufficient security. Distributed key management and homomorphic encryption technologies ensure continuous data security during transmission, storage, and processing, reducing the risk of key leakage. By integrating access control, lifecycle monitoring, and secure destruction modules, an end-to-end protection system is constructed, effectively defending against threats such as unauthorized access, data tampering, and residual leakage. This significantly improves the confidentiality, integrity, and availability of cloud storage data while reducing management costs and compliance risks. Attached Figure Description

[0060] To more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the drawings used in the embodiments will be briefly introduced below. Obviously, the drawings described below are only some embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0061] Figure 1 The flowchart of the computer cloud storage data full lifecycle encryption protection method provided by the present invention. Detailed Implementation

[0062] Unless otherwise specified, the terms "connection" and "linkage" used in this application include both direct and indirect connections (linkages). In the description of this invention, it should be understood that the terms "upper," "lower," "front," "rear," "left," "right," "vertical," "horizontal," "top," "bottom," "inner," "outer," "clockwise," and "counterclockwise," etc., indicating orientations or positional relationships based on the orientations or positional relationships shown in the accompanying drawings, are used only for the convenience of describing the invention and for simplifying the description, and do not indicate or imply that the device or element referred to must have a specific orientation, or be constructed and operated in a specific orientation. Therefore, they should not be construed as limitations on the invention.

[0063] In this invention, unless otherwise explicitly specified and limited, "above" or "below" the second feature can mean that the first feature is in direct contact with the second feature, or that the first feature is in indirect contact with the second feature through an intermediate medium. Furthermore, "above," "over," and "on top" of the second feature can mean that the first feature is directly above or diagonally above the second feature, or simply that the first feature is at a higher horizontal level than the second feature. "Below," "below," and "under" the second feature can mean that the first feature is directly below or diagonally below the second feature, or simply that the first feature is at a lower horizontal level than the second feature.

[0064] The technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.

[0065] The purpose of this invention is to provide a method for full lifecycle encryption protection of computer cloud storage data. By constructing a complete encryption system covering the entire process of data generation, transmission, storage, processing, and destruction, dynamic and adaptive protection of data security is achieved. The core of this method lies in introducing a context-aware mechanism, using machine learning models to dynamically assess data sensitivity, and adaptively adjusting the encryption strategy based on the assessment results, thereby optimizing system performance while ensuring security.

[0066] To make the above-mentioned objects, features and advantages of the present invention more apparent and understandable, the present invention will be further described in detail below with reference to the accompanying drawings and specific embodiments.

[0067] Example 1:

[0068] This embodiment provides a method for full lifecycle encryption protection of computer cloud storage data, such as... Figure 1As shown, the data ingestion module first receives raw data and extracts metadata. This metadata includes key information such as data type, data size, data source, data owner, and timestamp. This metadata is not only used for data management but also provides a foundation for subsequent sensitivity analysis. The data ingestion module employs a multi-threaded asynchronous processing mechanism to ensure efficient data reception under high concurrency, while simultaneously verifying data integrity and consistency through data validation algorithms.

[0069] Subsequently, the context analysis module calculates a data sensitivity score based on the extracted metadata using a pre-trained machine learning model. This model employs a logistic regression algorithm, and its formula is as follows:

[0070] ;

[0071] in, The feature vector is derived from metadata through normalization and one-hot encoding, and includes numerical encoding of data type, logarithmic scaling of data size, source credibility score, etc. The weight vector is obtained through model training, and its dimensions are... Consistent, This is the transpose of the weight vector. is the bias term used to adjust the model output; e is the natural constant.

[0072] During model training, a labeled historical dataset is used, and the loss function is optimized using gradient descent.

[0073] ;

[0074] in, For the sample size, For the first The true labels of each sample (0 indicates insensitive, 1 indicates sensitive). For the first The prediction sensitivity score for each sample is the model's predicted value. During training, hyperparameters are adjusted through cross-validation to ensure the model's generalization ability.

[0075] The encryption policy engine dynamically selects the encryption algorithm and the number of encryption rounds based on the calculated data sensitivity score. The formula for calculating the number of encryption rounds is:

[0076] ;

[0077] in, This is the minimum number of encryption rounds (default value is 10). This is the maximum number of encryption rounds (default value is 20). This indicates rounding down to the nearest integer.

[0078] The encryption algorithm selection strategy is as follows: AES-128 is used when S < 0.3, AES-192 is used when 0.3 ≤ S < 0.7, and AES-256 is used when S ≥ 0.7. This dynamic adjustment mechanism ensures that highly sensitive data receives stronger encryption protection, while low-sensitivity data avoids the performance overhead caused by over-encryption.

[0079] The key management module derives the data encryption key DEK based on the master key MK and context parameters. The derivation formula is:

[0080] ;

[0081] in, The master key is stored in the hardware security module. Context parameters include the data identifier, timestamp, and data sensitivity score. The key derivation process employs Key Derivation Functions (KDFs) to enhance security, ensuring each data segment has an independent encryption key. Key storage utilizes a distributed keystore combined with a threshold secret sharing scheme to prevent single-point-of-disclosure risks.

[0082] The encryption execution module encrypts the original data using the data encryption key DEK and the encryption round number N. The encryption process includes block processing, initial permutation, and encryption round iteration. Block processing divides the data into 128-bit fixed-size blocks; the initial permutation uses a dynamically generated permutation table, whose generation function is:

[0083] ;

[0084] in, The function generates random permutations using the data sensitivity score as a seed to enhance encryption randomness; the encryption round cycle includes byte substitution (using AES S-Box), row shifting, column mixing (except in the last round), and round key addition. The encrypted data is output in matrix form to ensure consistent formatting.

[0085] The secure transmission module transmits encrypted data to the secure storage module via the TLS / SSL protocol. During transmission, a forward secure key exchange protocol (such as DHE or ECDHE) and a two-way authentication mechanism are used to prevent man-in-the-middle attacks. The transport layer encryption and the encryption of the data itself form a double protection, ensuring that the data content remains secure even if the transmission channel is breached.

[0086] The secure storage module distributes encrypted data across multiple cloud storage nodes, dividing the data into blocks and recording metadata and access logs. The storage strategy dynamically adjusts backup frequency based on corruption probability statistics. Corruption probability is calculated using a historical data analysis model, taking into account factors such as node failure rate, network outage frequency, and data access patterns. Backup operations employ asynchronous replication technology to ensure data consistency and availability.

[0087] The access control module makes access decisions based on user attributes and permissions, using the following formula:

[0088] ;

[0089] in, The access authorization result is 1, indicating that access is allowed, and 0, indicating that access is denied. For user attributes (such as role, department, security level). As weight, The threshold value is used. For the data to be calculated, the module supports homomorphic encryption processing, using... algorithm:

[0090] ;

[0091] in, It is a part of the public key (usually n+1). For plain text, It is a random number. This is the public key. This algorithm allows addition operations to be performed in an encrypted state, avoiding the risk of decryption during data processing.

[0092] The lifecycle management module monitors data status (including creation, active, archived, and destruction status), and state transitions are automatically triggered based on time and access frequency policies. For example, data that has not been accessed for a long time is automatically transferred to the archived state, triggering a re-encryption operation; data that has reached its retention period is transferred to the destruction queue. Re-encryption uses a newly derived data encryption key to ensure key validity.

[0093] The secure destruction module securely deletes the data and its keys using multiple random data overwriting algorithms (such as the DoD5220.22-M standard) or cryptographic erasure (making the data unrecoverable by deleting the key). The destruction result is verified via hash checksum.

[0094] ;

[0095] in, This is the data storage area. After successful verification, a destruction log is recorded to ensure compliance.

[0096] Example 2:

[0097] This invention also provides a computer cloud storage data lifecycle encryption protection system, which includes a data ingestion module, a context analysis module, an encryption policy engine, a key management module, an encryption execution module, a secure transmission module, a secure storage module, a secure processing module, an access control module, a lifecycle management module, and a secure destruction module. All modules are connected via a central control bus to achieve collaborative management of data flow and control flow. The system adopts a microservice architecture, with modules communicating through API interfaces, supporting elastic scaling and fault isolation.

[0098] In summary, this invention achieves refined management of data security through a context-aware dynamic encryption mechanism and full lifecycle monitoring. This method not only improves the confidentiality, integrity, and availability of cloud-stored data but also reduces system overhead through adaptive optimization, making it suitable for fields with stringent data security requirements, such as finance, healthcare, and government.

[0099] The technical features of the above embodiments can be combined in any way. For the sake of brevity, not all possible combinations of the technical features in the above embodiments are described. However, as long as there is no contradiction in the combination of these technical features, they should be considered to be within the scope of this specification.

[0100] It should be noted that the components mentioned in the above embodiments are all general standard parts or components known to those skilled in the art. Their structures and principles can be learned by those skilled in the art through technical manuals or conventional experimental methods.

[0101] This invention has illustrated its principles and implementation methods using specific examples. The descriptions of these embodiments are merely illustrative of the method and its core ideas; furthermore, those skilled in the art will recognize that modifications may be made to the specific implementation methods and application scope based on the principles of this invention. Therefore, the content of this specification should not be construed as limiting the invention.

Claims

1. A method for full lifecycle encryption protection of computer cloud storage data, characterized in that, Includes the following steps: S1. Receive raw data through the data ingestion module and extract metadata, which includes data type, data size, data source, data owner and timestamp; S2. Based on the metadata, the context analysis module calculates the data sensitivity score using a machine learning model, wherein the machine learning model employs a logistic regression algorithm, and the formula is: ; in, These are feature vectors, derived from metadata. For the weight vector, This is the transpose of the weight vector. For bias terms; S3. The encryption strategy engine dynamically selects the encryption algorithm and the number of encryption rounds based on the data sensitivity score, wherein the formula for calculating the number of encryption rounds is: ; in, To minimize the number of encryption rounds, The maximum number of encryption rounds, Indicates rounding down; S4. The data encryption key is derived from the master key and context parameters through the key management module, wherein the context parameters include the data identifier, timestamp, and data sensitivity score, and the derivation formula is: ; in, Master key For context parameters; S5. The original data is encrypted using the data encryption key and the number of encryption rounds by the encryption execution module to generate encrypted data. The encryption process includes block processing, initial permutation, and encryption round loop. The encryption round loop includes byte replacement, row shifting, column mixing, and round key addition operation. S6. The encrypted data is transmitted to the secure storage module via the secure transmission module, and the TLS / SSL protocol is used to ensure secure transmission. S7. The encrypted data is distributed and stored through a secure storage module, and metadata and access logs are recorded. S8. Access control is performed on the encrypted data based on user attributes and permissions through the access control module, wherein the access decision formula is: ; in, The access authorization result is 1, indicating that access is allowed, and 0, indicating that access is denied. For user attributes, As weight, For threshold; S9. Monitor data status through the lifecycle management module and trigger re-encryption or secure destruction operations according to the policy; S10. Securely delete the data and its key through the secure destruction module, using multiple overwrite or cryptographic erasure methods, and verify the destruction result through hash verification.

2. The method for full lifecycle encryption protection of computer cloud storage data according to claim 1, characterized in that, In step S2, the training methods for the machine learning model include: Using a labeled dataset, the loss function is optimized using gradient descent, as shown in the formula: ; in, For the sample size, For the first The true label of each sample For the first The prediction sensitivity score for each sample.

3. The method for full lifecycle encryption protection of computer cloud storage data according to claim 1, characterized in that, In step S3, dynamically selecting the encryption algorithm includes: When S < 0.3, use the AES-128 algorithm; The AES-192 algorithm is used when 0.3 ≤ S < 0.7; The AES-256 algorithm is used when S ≥ 0.

7.

4. The method for full lifecycle encryption protection of computer cloud storage data according to claim 1, characterized in that, In step S5, the initial permutation uses a permutation table P, which is dynamically generated based on the data sensitivity score. The generation function formula is: ; in, The function generates random permutations using the data sensitivity score as a seed.

5. The method for full lifecycle encryption protection of computer cloud storage data according to claim 1, characterized in that, In step S7, distributed storage includes storing encrypted data in blocks across multiple cloud storage nodes and dynamically adjusting the backup frequency based on the probability of corruption statistics, which are calculated through historical data analysis and mathematical models.

6. The method for full lifecycle encryption protection of computer cloud storage data according to claim 1, characterized in that, In step S8, the access control module uses homomorphic encryption. The algorithm performs encrypted data calculations, and the encryption formula is as follows: ; in, As part of the public key, For plain text, It is a random number. This is the public key.

7. The method for full lifecycle encryption protection of computer cloud storage data according to claim 1, characterized in that, In step S9, the data status includes creation, active, archived and destruction status, and the status transition is based on time strategy and access frequency strategy.

8. The method for full lifecycle encryption protection of computer cloud storage data according to claim 1, characterized in that, In step S10, secure deletion includes repeatedly overwriting data at the storage location using random methods, and verifying the data using a secure deletion verification formula. The secure deletion verification formula is as follows: ; in, This is the data storage area.

9. A computer cloud storage data lifecycle encryption protection system, characterized in that, The system is used to implement the computer cloud storage data lifecycle encryption protection method as described in any one of claims 1-8, the system comprising: The data ingestion module is used to receive raw data and extract metadata; The context analysis module is used to calculate the data sensitivity score S based on metadata; The encryption strategy engine is used to dynamically select the encryption algorithm and the number of encryption rounds based on the data sensitivity score S; The key management module is used to generate, store, and manage data encryption keys; The encryption execution module is used to encrypt data using a data encryption key and a number of encryption rounds; A secure transmission module is used to ensure the security of encrypted data during transmission; A secure storage module is used for distributed storage and management of encrypted data; A security processing module is used to support homomorphic encryption computation; The access control module is used to control data access based on user permissions; The lifecycle management module is used to monitor data status and trigger encryption or destruction operations; The secure destruction module is used to securely delete data and its keys.

10. The computer cloud storage data lifecycle encryption protection system according to claim 9, characterized in that, The modules in the system are connected through a central control bus to achieve coordinated management of data flow and control flow.