The invention provides a controlled host detection method and device based on a knowledge graph, and the method comprises the steps: filtering extracted feature data by adopting data, in a response state of NXDOMAIN, in DNS flow, describing the data based on a knowledge graph construction framework, constructing an NXDOMAINIP knowledge graph; and finally, analyzing the knowledge graph by utilizinga community discovery algorithm and a community judgment algorithm to obtain a controlled host list and mark a suspected malicious code family. Based on a distributed data flow processing framework,real-time DNS request flow is analyzed on a large scale, and the analysis efficiency is greatly improved through a multi-stage data preprocessing process; and through NXDOMAINIP knowledge graph construction, community discovery and community judgment, word list splicing DGA domain names are detected, controlled hosts and related malicious code families are determined, victims are reminded in timeto carry out AV upgrading and full-disk scanning on the hosts, and host vulnerabilities are reinforced.