Systems and methods are provided for utilizing natural language process (NLP), namely semantic learning approaches, in the realm of network security. Techniques include analyzing network transaction records to form a crafted corpus related to a semantics of network activity. The crafted corpus can be adapted to include sequences of network entities that are deemed most appropriate for analyzing a particular category related to network activity. For example, crafted corpuses can include sequences of servers accessed by each user, in order to identify activity trends in a user's normal activity. A network embeddings model can be trained on the crafted corpus. The network embeddings model includes an embedding space of text that represents interactions between network entities and captures contextual similarities of text, which further measures similarities between the network entities in the embedding space. Using network embeddings model, network activity is monitored and modeled over time, and anomalies efficiently detected.