The power monitoring system is the most important production management system in the power industry. As an important part of the power monitoring system, the user station will become the main target of network attacks if it lacks grid binding. In order to perceive the network attack events on the subscriber station side in time, a method combining real-time detection and active defense of random domain names on the subscriber station side is proposed. A capsule network (CapsNet) combined with a long short-term memory (LSTM) network is used to classify the domain names extracted from the traffic data. When a random domain name is detected, instructions are sent to routers and switches to update their security policies or shut down the service interfaces of routers and switches to block network attacks through the remote terminal protocol (Telnet). The experimental results show that the use of the CapsNet combined with the LSTM classification algorithm can achieve an accuracy of 99.16% and a recall of 98% in random domain name detection. Through the Telnet, routers and switches can be linked to make active defense without interrupting services.