Abstract: The subject matter of this specification generally relates to computer security. In some implementations, a method includes maintaining a first data structure that stores arrays of identifier tuples. Each identifier tuple corresponds to a respective computer security event and includes one or more identifiers for a computing element associated with the computer security event. Each array of identifier tuples corresponds to a respective identifier and only includes identifier tuples that include the corresponding identifier. A second data structure that stores arrays of computer security data is maintained. Each array of computer security data corresponds to a respective identifier tuple stored in the first data structure and only includes computer security data associated with each identifier in the corresponding identifier tuple. A query that specifies a first identifier for a first computing element is received.

Abstract: The subject matter of this specification generally relates to computer networks. In some implementations, a method includes identifying a network address associated with a network event. Network activity (i) that was initiated by a computing device assigned the network address and (ii) that occurred within a threshold period of time of the network event is identified. A user that was assigned the network address at a time at which the network event occurred is identified using one or more network address assignment logs. A level of confidence that the user was using the network address at the time of the network event is determined based on the identified network activity and one or more patterns of network activity initiated by the user. An action is performed based on the level of confidence.

Abstract: The subject matter of this specification generally relates to computer security. In some implementations, a computing device detects a request to generate data for an encryption key at the computing device. The computing device identifies a process that initiated the request. The computing device determines, based at least on one or more characteristics of the process that initiated the request, whether or not to store a copy of the data for the encryption key. In response to determining to store the copy of the data for the encryption key, the computing device stores the copy of the data for the encryption key.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for authorizing actions of a service provider. In one aspect, a method includes providing a user security key to a mobile device of a user. A request is received from a client device distinct from the mobile device to perform an action. A challenge token including a security signature matched to a service security key is generated, and the challenge token is provided to the mobile device. An approval value is received from the client device. The approval value is determined to be valid in reference to the challenge token and the user security key previously provided to the mobile device and to indicate approval to perform the action for the user. The action is performed in response to receiving the approval value.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for providing contextual data aided security protection. In one aspect, a method includes automatically parsing an electronic message associated with a user that includes location information, and extracting the location information from the electronic message. The location information can be added to a database (e.g., white list) associated with the user. The location information in the database can be used to authenticate the user's request for access to electronic mail.