One common way for detecting malware devices in a network is to use a blacklist based on signature detection.However, in the near future, this detection method will become difficult because of the variety of malwares.In this paper, we propose the method of detecting malicious devices by using machine learning to identify unknown malware.We extract the time series data of feature vectors from logs of DNS query/response, then we transform them into distributed representation by using Recurrent neural network (RNN). We also performed the cluster analysis to explore their relation.The experiment shows that the behavior of the source IP address is classified into two classes; moreover, the some minority clusters transmit to the specific queries.