Host behavior and network analytics based automotive secure gateway

What is claimed is: 1. A system for an automotive security gateway, the system comprising: an in-gateway security system that monitors local host behaviors in vehicle devices to identify anomalous local host behaviors using a blueprint model trained, using a blueprint modelling system, to recognize secure local host behaviors, the blueprint modelling system comprising: a process modelling component trained to recognize normal process behaviors including programs normally spawned from a program of each of the in-gateway services such that the process modelling component identifies anomalous process behaviors that are not normal based on an identification of programs being unusually spawned from the program, the process modeling component being configured for generating an alarm including an alert for detected anomalous local host behavior; and a file modelling component trained to recognize normal file access behaviors of the program of each of the in-gateway services such that the file modelling component identifies anomalous file access behaviors that are not normal based on a file model trained against file access patterns of each possible gateway service, the file modeling component being configured for generating an alarm including an alert for detected anomalous local host behavior, wherein the in-gateway security system includes a system scanner that scans each of the vehicle devices to identify in-gateway services; an out-of-gateway security system that monitors network traffic across remote hosts, local devices, hotspot network, and in-car network to identify anomalous behaviors using deep packet inspection that inspects packets of the network traffic; a threat mitigation system to issue threat mitigation instructions corresponding to the identified anomalous local host behaviors and the anomalous remote host behaviors to secure the vehicle devices by removing the identified anomalous local host behaviors and the anomalous remote host behaviors; and automotive security gateway services and vehicle electronic control units operating the vehicle devices according to the threat mitigation instructions. 2. The system as recited in claim 1 , wherein the blueprint modelling system further comprises: a network modelling component trained to recognize normal network connection behaviors for the program of each of the in-gateway services such that the network modelling component identifies anomalous network connection behaviors that are not normal to generate the alarm for anomalous behavior. 3. The system as recited in claim 2 , wherein file events of the normal file access behaviors and the anomalous file access behaviors includes file reading, file writing, file opening and file closing. 4. The system as recited in claim 2 , wherein network events of the normal network connection behaviors and the anomalous network connection behaviors includes source address, source port, destination address, destination port and protocol. 5. The system as recited in claim 1 , wherein the out-of-gateway security system includes a network screen that scans the network traffic to identify out-of-gateway services. 6. The system as recited in claim 1 , wherein the out-of-gateway security system includes a backend address inspector that compares a packet source address and a packet destination address to a backend whitelist of backend addresses to identify unverified backend hosts corresponding to anomalous network traffic and generate a network traffic alarm. 7. The system as recited in claim 1 , wherein the out-of-gateway security system includes an updater encryption monitor that uses deep packet inspection to compare a packet destination address to a content whitelist of updater addresses to identify unverified updater hosts and to identify an encryption status of the packet corresponding to anomalous network traffic and generate a network traffic alarm. 8. The system as recited in claim 1 , wherein the out-of-gateway security system includes a sub-network monitor that compares a packet source address and a packet destination address to a segregation list of sub-networks to be segregated to identify network traffic in communication with one of the sub-networks to be segregated and generate a network traffic alarm. 9. The system as recited in claim 1 , wherein the out-of-gateway security system includes a signature inspector configured to: match a key generated from the network five tuple, source internet protocol address (IP), source port, destination IP, destination port, and a protocol, to a key of a context signature, the context signature including a key, a list of a signature whitelist and a list of a signature blacklist; match a signature from a packet to a signature from one of the signature whitelist or the signature blacklist upon matching the signature for the key, the second packet being subsequent to the first packet; and generate a network traffic alarm where the signature of the second packet matches a signature of the signature blacklist to inspect signatures of the network traffic. 10. A system for an automotive security gateway, the system comprising: an in-gateway security system that monitors local host behaviors in vehicle devices to identify anomalous local host behaviors, the in-gateway security system including: a system scanner that scans each of the vehicle devices to identify in-gateway services; and a blueprint modelling system trained to recognize secure local host behaviors, the blueprint modelling system comprising: a process modelling component trained to recognize normal process behaviors including programs normally spawned from a program of each of the in-gateway services such that the process modelling component identifies anomalous process behaviors that are not normal based on an identification of programs being unusually spawned from the program, the process modeling component being configured for generating an alarm including an alert for detected anomalous local host behavior; and a file modelling component trained to recognize normal file access behaviors of the program of each of the in-gateway services such that the file modelling component identifies anomalous file access behaviors that are not normal based on a file model trained against file access patterns of each possible gateway service, the file modeling component being configured for generating an alarm including an alert for detected anomalous local host behavior, wherein the in-gateway security system includes a system scanner that scans each of the vehicle devices to identify in-gateway services; an out-of-gateway security system that monitors network traffic across remote hosts, local devices, hotspot network, in-car network to identify anomalous behaviors, the out-of-gateway security system including: a network screen that scans the network traffic to identify out-of-gateway services; and a deep packet inspector that performs deep packet inspection to inspect packets of the network traffic to identify packet attributes including a packet source address and a packet destination address; a threat mitigation system to issue threat mitigation instructions corresponding to the identified anomalous local host behaviors and the anomalous remote host behaviors to secure the vehicle devices by removing the identified anomalous local host behaviors and the anomalous remote host behaviors; and automotive security gateway services and vehicle electronic control units operating the vehicle devices according to the threat mitigation instructions. 11. The system as recited in claim 10 , wherein the blueprint modelling system further comprises: a network modelling component trained to recognize norma