Systems and methods for detecting anomalous messages in automobile networks

What is claimed is: 1. A computer-implemented method for detecting anomalous messages in automobile networks, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising: receiving, at a cloud-based computing system from a first logging device of a first automobile, a first plurality of automobile-network messages that were broadcast over a first automobile network of the first automobile by at least one of a first electronic control unit, a first sensor, and a first actuator; receiving, at the cloud-based computing system from a second logging device of a second automobile, a second plurality of automobile-network messages that were broadcast over a second automobile network of the second automobile by at least one of a second electronic control unit, a second sensor, and a second actuator, wherein the second electronic control unit, the second sensor, and the second actuator are respectively substantially similar to the first electronic control unit, the first sensor, and the first actuator, and wherein the second automobile network is substantially similar to the first automobile network; extracting, at the cloud-based computing system, a set of features from the first plurality of automobile-network messages and the second plurality of automobile-network messages; creating, at the cloud-based computing system using the set of features, a model capable of distinguishing expected automobile-network messages broadcast over a third automobile network of a third automobile from anomalous automobile-network messages broadcast over the third automobile network, wherein the third automobile network is substantially similar to the first and second automobile networks; and enabling a security device at the third automobile to detect anomalous automobile-network messages broadcast over the third automobile network by transmitting the model from the cloud-based computing system to the third automobile. 2. The computer-implemented method of claim 1 , further comprising: detecting an automobile-network message that has been broadcast over the third automobile network; using the model to determine that the automobile-network message is anomalous; and performing a security action in response to determining that the automobile-network message is anomalous. 3. The computer-implemented method of claim 2 , wherein: creating the model comprises: creating a plurality of classifiers; and training each of the plurality of classifiers using a distinct subset of the set of features; and using the model to determine that the automobile-network message is anomalous comprises: calculating an aggregate classification for the automobile-network message based on a classification of the automobile-network message by each of the plurality of classifiers; and determining that the aggregate classification of the automobile-network message indicates that the automobile-network message is anomalous. 4. The computer-implemented method of claim 3 , wherein the plurality of classifiers are created and trained using an ensemble machine-learning method. 5. The computer-implemented method of claim 1 , further comprising logging, at the first logging device, the first plurality of automobile-network messages as they are broadcast over the first automobile network, wherein the first logging device is connected to the first automobile network via a port of the first automobile network. 6. The computer-implemented method of claim 1 , wherein the first, second, and third automobiles are of the same make and model. 7. The computer-implemented method of claim 1 , wherein: creating the model comprises using the set of features to create a model capable of distinguishing automobile-network messages that are part of normal operation of the third automobile from automobile-network messages that are part of an attack on the third automobile network. 8. The computer-implemented method of claim 1 , wherein creating the model comprises using the set of features to create a model capable of distinguishing automobile-network messages of functioning electronic control units from automobile-network messages of malfunctioning electronic control units. 9. The computer-implemented method of claim 1 , wherein: the first plurality of automobile-network messages convey a plurality of states of an attribute of the first automobile; the plurality of states represent a range of possible states of the attribute; and creating the model comprises using the set of features to create a model capable of distinguishing automobile-network messages that convey states of the attribute that are within the range from automobile-network messages that convey states of the attribute that are outside of the range. 10. The computer-implemented method of claim 1 , wherein: the first plurality of automobile-network messages convey a plurality of states of an attribute of the first automobile while an additional attribute of the first automobile is in a particular state; the plurality of states represent a range of possible states of the attribute while the additional attribute of the first automobile is in the particular state; and creating the model comprises using the set of features to create a model capable of distinguishing automobile-network messages that convey states of the attribute that are within the range from automobile-network messages that convey states of the attribute that are outside of the range. 11. The computer-implemented method of claim 1 , wherein the first automobile network comprises an in-vehicle controller area network bus. 12. A system for detecting anomalous messages in automobile networks, the system comprising: a receiving module that: receives, at a cloud-based computing system from a first logging device of a first automobile, a first plurality of automobile-network messages that were broadcast over a first automobile network of the first automobile by at least one of a first electronic control unit, a first sensor, and a first actuator; receives, at the cloud-based computing system from a second logging device of a second automobile, a second plurality of automobile-network messages that were broadcast over a second automobile network of the second automobile by at least one of a second electronic control unit, a second sensor, and a second actuator, wherein the second electronic control unit, the second sensor, and the second actuator are respectively substantially similar to the first electronic control unit, the first sensor, and the first actuator, and wherein the second automobile network is substantially similar to the first automobile network; an extracting module that extracts, at the cloud-based computing system, a set of features from the first plurality of automobile-network messages and the second plurality of automobile-network messages; a creating module that: creates, at the cloud-based computing system using the set of features, a model capable of distinguishing expected automobile-network messages broadcast over a third automobile network of a third automobile from anomalous automobile-network messages broadcast over the third automobile network, wherein the third automobile network is substantially similar to the first and second automobile networks; and transmits, from the cloud-based computing system, the model to the third automobile to enable a security device at the third automobile to detect anomalous automobile-network messages broadcast over the third automobile network; memory that stores the receiving module, the extracting module, and the creating module; and at least one processor that executes the r