Many computing scenarios involve a network connecting a device with one or more nodes of the network, and that particularly involve the filtering of activity of the nodes while interacting with the device. For example, an email server may receive email from many nodes, but may filter out bulk unsolicited email messages (“spam”) from desired email messages; a webserver may be configured to differentiate legitimate web requests from unproductive web requests, such as disingenuous requests submitted as a denial-of-service attack; and a file server may wish to provide service while identifying and blocking intrusion attempts (e.g., attempts to install malware in order to commandeer the server for a “botnet” controlled by another individual.)
In each of these scenarios, it may be desirable to implement filtering techniques on the device that successfully identify and exclude unwanted activity and that reduce the frequency of accidentally excluding wanted activity (e.g., a “false positive” in a filtering scheme), while efficiently utilizing the resources of the device (e.g., memory, network capacity, and processor usage) in performing the filtering. In the particular scenario of bulk unsolicited email messages, filtering techniques often involve various properties of the email messages, such as blacklists of notorious or suspected spammers, whitelists of senders that are believed to be acceptable to recipients of such email messages, and keywords that are often included in spam email messages (such as the names of popular pharmaceuticals that are often advertised for sale via spam email messages.) Increasing the aggressiveness of these filtering techniques may successfully reduce the delivery of spam email messages, but may also raise the number of “false positives” of non-spam email messages that are incorrectly identified as spam by the filtering techniques and withheld from delivery to users.