A method includes: at a server, obtaining security intelligence data used for classifying whether a data associated with a user activity in a network is undesirable at a first time; classifying whether a first data in the network is undesirable based on the security intelligence data; receiving a request for classifying whether a second data is undesirable based on the security intelligence data; determining whether the server is overloaded with tasks; if the server is determined to be overloaded with tasks: logging the second data in a repository, and tagging the second data to re-visit classification of the second data; and when the server is no longer overloaded, classifying whether the second data is undesirable to produce a second classifying result and re-classifying whether the first data is undesirable based on updated security intelligence data obtained by the server.