When a client device requests access to application data over a network, this access request may or may not be granted. Theoretically the client device can receive the requested application data only if the access request is granted, i.e., the application has been classified to be allowed. However, since classification of the application needs time, it often happens that data packets of a to-be-denied application have been leaked to the client device when the classification of the application is still on-going.