Enriched access data supports anomaly detection to enhance network cybersecurity. Network access data is enriched using service nodes representing resource provision and other services, with geolocation nodes representing grouped access origins, and access values representing access legitimacy confidence. Data enrichment provides a trained model by mapping IP addresses to geolocations, building a bipartite access graph whose inter-node links indicate aspects of accesses from geolocations to services, and generating semantic vectors from the graph. Vector generation may include collaborative filtering, autoencoding, neural net embedding, and other machine learning tools and techniques. Anomaly detection systems then calculate service-geolocation or geolocation-geolocation vector distances with anomaly candidate vectors and the model's graph-based vectors, and treat distances past a threshold as anomaly indicators. Some embodiments curtail false positives relative to simply checking network access logs or packets for activity coming from unexpected places. Some avoid or reduce model retraining.