The composition of domain names generated by the dictionary-based Domain Generation Algorithm (DGA) is very similar to that of benign domain names and it is difficult to effectively detect them with the existing technology. To solve this problem, a detection model was proposed, namely CL (Convolutional Neural Network (CNN) and Long Short-Term Memory (LSTM) network). The model includes three parts:character embedding layer, feature extraction layer and fully connected layer. Firstly, the characters of the input domain name were encoded by the character embedding layer. Then, the features of the domain name were extracted by connecting CNN and LSTM in serial way through the feature extraction layer. The n-grams features of the domain name were extracted by CNN and the extracted result were sent to LSTM to learn the context features between n-grams. Meanwhile, different combinations of CNNs and LSTMs were used to learn the features of n-grams with different lengths. Finally, the dictionary-based DGA domain names were classified and predicted by the fully connected layer according to the extracted features. Experimental results show that when the CNNs select the convolution kernel sizes of 3 and 4, the proposed model achives the best performance. In the four dictionary-based DGA family experiments, the accuracy of the CL model is improved by 2.20% compared with that of the CNN model. And with the increase of the number of sample families, the CL network model has a better stability.

The massive parked domains exist in the Internet, which seriously affect the Internet experience and Internet environment of online users when surfing. In order to recognize parked domains, a new method of parked domain recognition was proposed based on authoritative Domain Name Server (DNS). The set of authoritative DNS which could be used for domain parking service was extracted by the typosquatting domains commonly used in domain parking service. Then the set was clustered by semi-supervised clustering method to identify the authoritative DNS associated with domain parking service. When detecting a parked domain, the parked domain was recognized by the judgments that whether its authoritative DNS was applied in domain parking service and whether its mapped IP addresses was concluded in the set of IP addresses of parking Web servers. By using the existing detecting method based on webpages' features, the accuracy of the proposed method was analyzed. The experimental results show the proposed method has achieved the accuracy rate of 92.8%, and avoids crawling the webpage information, which has a good performance on parked domains detection in real-time.