The invention discloses a botnet, Trojan horse and worm network analysis method based on logs. The method comprises the steps that step 1, a DNS log and a RADIUS log are obtained; the DNS log comprises date, time, visit information, IP request information, domain name request information, domain name request characteristics, type analysis, IP information analysis and DNS server characteristic information; step 2, log cleaning is performed on the DNS log and the RADIUS log, fields which have no influence on statistics are deleted, fields which influences a statistical result are retained or modified; step 3, a suspicious domain name which confirms with specific characteristics is obtained according to common behavior characteristics of a known botnet, Trojan horse and worm network and a computer which has virus of botnet, Trojan horse and worm; step 4, according to the user visit DNS log and RADIUS log of the suspicious domain name, the characteristics of user groups which visit the suspicious domain name are analyzed, and a domain name of the botnet, Trojan horse and worm is determined according to the characteristics of the user groups.