In recent years, IP flow identification in botnet detection attracts attentions in network security. IP flows associated with bot masters can be used to trace the botnet source. Most botnets suffer a large of IP-based attacks. This paper attempts to explore the correlations between attack behaviors and IP flows. By data collection, sets of functions concerning inference rules and conversion of data format, this paper successfully identifies the botnet attacks by IP flows and the inference patterns. The IP flow-based intrusion detection can efficiently find alert data correlation.