Method, apparatus, system, and non-transitory computer readable medium for detecting anomalous user access behaviors

What is claimed is: 1. A server for detecting anomalies associated with users accessing a network, the server comprising: a memory storing computer readable instructions; and processing circuitry configured to execute the computer readable instructions to cause the server to, receive a dataset including static data and dynamic data, the static data including location data of resources associated with the network and user data, the dynamic data including user access events, detect, with a plurality of unsupervised machine learning (ML) models, an anomaly associated with a user accessing the network based on the static data and the dynamic data, the user having a risk score specific to that user, determine whether the detected anomaly is critical or not critical based on one or more first defined thresholds, in response to determining the detected anomaly is critical, generate and transmit a first security alert specific to the detected anomaly to a security operation center (SOC), in response to determining the detected anomaly is not critical, increase the risk score specific to the user and determine whether the increased risk score exceeds a second defined threshold, and in response to the increased risk score exceeding the second defined threshold, generate and transmit a second security alert specific to the user to the SOC. 2. The server of claim 1 , wherein the processing circuitry is further configured to execute the computer readable instructions to cause the server to classify the detected anomaly as a false positive based on one or more defined rules. 3. The server of claim 2 , wherein the processing circuitry is further configured to execute the computer readable instructions to cause the server to: receive feedback from the SOC specific to the detected anomaly; and modify at least one of the one or more defined rules based on the received feedback. 4. The server of claim 1 , wherein the processing circuitry is further configured to execute the computer readable instructions to cause the server to: receive feedback from the SOC specific to the detected anomaly; and tune the plurality of unsupervised ML models based on the received feedback. 5. The server of claim 1 , wherein: the plurality of unsupervised ML models are trained unsupervised ML models; and the processing circuitry is further configured to execute the computer readable instructions to cause the server to detect whether performance of the plurality of unsupervised ML models falls below a third defined threshold, and retrain the plurality of unsupervised ML models in response to the performance of the plurality of unsupervised ML models falling below the third defined threshold. 6. The server of claim 1 , wherein the processing circuitry is further configured to execute the computer readable instructions to cause the server to: receive feedback from the SOC specific to the detected anomaly; train a plurality of supervised ML models based on the received feedback; and detect, with the plurality of supervised ML models, an anomaly associated with a user accessing the network based on the static data and the dynamic data. 7. The server of claim 1 , wherein the user access events includes at least one of a virtual private network login, a physical badge swipe, and a multifactor authentication process. 8. The server of claim 1 , wherein the processing circuitry is further configured to execute the computer readable instructions to cause the server to: receive feedback from the SOC specific to the detected anomaly; train a plurality of supervised ML models based on the received feedback; and detect, with the plurality of unsupervised ML models and the plurality of supervised ML models, an anomaly associated with a user accessing the network based on the static data and the dynamic data. 9. The server of claim 1 , wherein the processing circuitry is further configured to execute the computer readable instructions to cause the server to: receive feedback from the SOC specific to the detected anomaly; train a plurality of supervised ML models based on the received feedback; determine whether performance of the plurality of supervised ML models exceeds performance of the plurality of unsupervised ML models; and in response to the performance of the plurality of supervised ML models exceeding the performance of the plurality of unsupervised ML models, detect, with the plurality of supervised ML models, an anomaly associated with a user accessing the network based on the static data and the dynamic data. 10. A method for detecting anomalies associated with users accessing a network, the method comprising: receiving a dataset including static data and dynamic data, the static data including location data of resources associated with the network and user data, the dynamic data including user access events; detecting, with a plurality of unsupervised machine learning (ML) models, a plurality of anomalies associated with a user accessing the network based on the static data and the dynamic data, the user having a risk score specific to that user; determining whether each detected anomaly is critical or not critical based on one or more first defined thresholds; in response to determining any of the detected anomalies are critical, generating and transmitting a first security alert specific to each of the detected anomalies determined to be critical to a security operation center (SOC); increasing the risk score specific to the user for each of the detected anomalies determined to be not critical; determining whether the increased risk score exceeds a second defined threshold; and in response to the increased risk score exceeding a second defined threshold, generating and transmitting a second security alert specific to the user to the SOC. 11. The method of claim 10 , further comprising classifying the detected anomaly as a false positive based on one or more defined rules. 12. The method of claim 11 , further comprising: receiving feedback from the SOC specific to the detected anomaly; and modifying at least one of the one or more defined rules based on the received feedback. 13. The method of claim 10 , further comprising: receiving feedback from the SOC specific to the detected anomaly; and tuning the plurality of unsupervised ML models based on the received feedback. 14. The method of claim 10 , wherein: the plurality of unsupervised ML models are trained unsupervised ML models, and the method further comprises detecting whether performance of the plurality of unsupervised ML models falls below a third defined threshold, and retraining the plurality of unsupervised ML models in response to the performance of the plurality of unsupervised ML models falling below the third defined threshold. 15. The method of claim 10 , further comprising: receiving feedback from the SOC specific to the detected anomaly; training a plurality of supervised ML models based on the received feedback; and detecting, with the plurality of supervised ML models, an anomaly associated with a user accessing the network based on the static data and the dynamic data. 16. A non-transitory computer readable medium storing computer readable instructions, which when executed by processing circuitry of a server, causes the server to: receive a dataset including static data and dynamic data, the static data including location data of resources associated with a network and user data, the dynamic data including user login events; detect, with a plurality of unsupervised machine learning (ML) models, an anomaly