Disclosed is an improved approach for identifying security risks and breaches in a network by applying machine learning methods that learn resource access patterns in the network. Specifically, by observing the access pattern of the network entities (e.g. accounts, services, and hosts) from authorization requests/responses, the model through unsupervised learning, organizes the entity relationships into an ensemble of hierarchical models. The ensemble of hierarchical models can then be leveraged to create a series of metrics that can be used to identify various types of abnormalities in the access of a resource on the network. For instance, by further classifying the access request for a resource using abnormality scores into detection scenarios, the model is able to detect both an abnormality and the type of abnormality and include such information in a corresponding alarm when a security breach happens.