Method and apparatus for calibrating a system for recognizing attempts to penetrate a computer network

What is claimed is: 1. A method for calibrating a system for recognizing attempts to penetrate into a computer network, the method comprising: estimating at least one parameter based on a data set, the data set encompassing values that characterize a detected occurrence of messages in the computer network; determining a distribution function based on the at least one parameter; determining an inverse function of the distribution function; and calibrating at least one limit for the values, based on the inverse function, in a rule for rule-based recognition of attempts to penetrate into the computer network. 2. The method of claim 1 , wherein a probability is predefined, and the at least one limit is determined based on a functional value of the inverse function in the context of a function argument that is determined based on the probability. 3. The method of claim 2 , wherein an extreme value is predefined, and the at least one limit is determined based on the function value of the inverse function in the context of a function argument that is determined based on the probability. 4. The method of claim 1 , wherein a lower limit for the values is determined, and wherein the lower limit characterizes values below which a penetration attempt is recognized. 5. The method of claim 4 , wherein a minimum of the values is determined, and the lower limit is determined based on a functional value of the inverse function at the minimum. 6. The method of claim 1 , wherein an upper limit for the values is determined, and wherein the upper limit characterizes values above which a penetration attempt is recognized. 7. The method of claim 6 , wherein a maximum of the values is determined, and the upper limit is determined based on a functional value of the inverse function at the maximum. 8. The method of claim 1 , wherein the values characterize one of: a time difference between the occurrence of messages detected in the computer network; an average time difference between the occurrence of messages detected in the computer network; a rate of change in the occurrence of messages detected in the computer network; an average rate of change in the occurrence of messages detected in the computer network; or a correlation coefficient for the occurrence of messages detected in the computer network. 9. The method of claim 1 , wherein the values are determined from a measurement of messages detected in the computer network. 10. The method of claim 1 , wherein the computer network is for a motor vehicle. 11. An apparatus for calibrating a system for recognizing attempts to penetrate into a computer network, comprising: a processor and at least one data memory, which are configured to perform the following: estimating at least one parameter based on a data set, the data set encompassing values that characterize a detected occurrence of messages in the computer network; determining a distribution function for the values based on the at least one parameter; determining an inverse function of the distribution function; and calibrating, based on the inverse function, at least one limit for the values in a rule for rule-based recognition of attempts to penetrate into the computer network. 12. The apparatus of claim 11 , wherein the computer network is for a motor vehicle. 13. The method as recited in claim 1 , further comprising: recognizing an attempt to penetrate into the computer network using the rule with the calibrated at least one limit for the values. 14. The method as recited in claim 1 , wherein, before the estimating step, the dataset is formed based on timestamps of the messages. 15. The method as recited in claim 14 , wherein the dataset is formed using cycle times determined based on the timestamps of the messages. 16. The method as recited in claim 15 , wherein the computer network is a Controller Area Network (CAN), and wherein the messages are messages having the same CAN ID. 17. The apparatus as recited in claim 11 , wherein the processor and the at least one data memory are further configure to perform: recognizing an attempt to penetrate into the computer network using the rule with the calibrated at least one limit for the values. 18. The apparatus as recited in claim 11 , wherein, before the estimating, the dataset is formed based on timestamps of the messages. 19. The apparatus as recited in claim 18 , wherein the dataset is formed using cycle times determined based on the timestamps of the messages. 20. The apparatus as recited in claim 19 , wherein the computer network is a Controller Area Network (CAN), and wherein the messages are messages having the same CAN ID.