The number of cybersecurity threats increases every year due to the rapid improvement of methods and tools used by hackers to infect devices. These threats form a network, which is called a botnet, to send and receive commands. Botnets can launch malicious attacks using malware to infect targets in the network and then control them to do illegal things. Previous research has demonstrated that security systems can identify attacks by analyzing communication among bots in a network using a graphing approach. While this analytical method demonstrates satisfactory accuracy, it still faces challenges related to low recall, precision, and F1-score, due to issues such as imbalanced data and the complexity of botnet behavior. This research addresses these challenges by analyzing network flow using adaptive weighting and feature extraction. Network flows are represented in a graph with IP addresses as vertices and communication links between IP addresses as edges. Since botnet attack activity forms a relatively small percentage compared with millions of recorded network flow data, the data is grouped using time gap analysis to handle the imbalance problem. Furthermore, network flows are represented in two graphs, and each edge is weighted based on the 16 types of weighting. The graph representation and weighting output are stored in out-degree and in-degree graph metadata for classification. The analysis is carried out in an ensemble manner with weighting and threshold values to determine whether an IP address is a botnet or a normal host. The experimental results obtained using CTU-13, NCC, and NCC-2 datasets produce reliable performance with an average accuracy of 99.99%, along with 80.91% precision, 93.10% recall, 82.15% f1-score and 39.55 second execution time. The proposed model can function as an effective tool for the forensic analysis of botnet attacks, allowing network administrators to analyze the characteristics of botnet activities and anticipate potential future...