Method and device for intrusion detection in a computer network

What is claimed is: 1. A method for intrusion detection in a computer network, the method comprising the following steps: receiving a data packet at an input of a hardware switch unit; selecting an output of the hardware switch unit for sending the data packet or a copy of the data packet as a function of security layer information from the data packet and as a function of a hardware address; determining, by the hardware switch unit, context information for the data packet; comparing, by a hardware filter of the hardware switch unit, an actual value from a field of the data packet with a set point value for values from the field, the field including security layer data or mediation layer data; triggering an interrupt for a microprocessor as a function of a result of the comparison; carrying out by the microprocessor, triggered by the interrupt, an analysis for detecting an intrusion pattern in a network traffic in the computer network as a function of the context information for the data packet; wherein the computer network is an automotive network; wherein the context information for the data packet, determined by the hardware switch unit, is stored in a register, a register access of the microprocessor to the register taking place for the analysis; and wherein presence of a deviation is detected when: (i) a Dynamic Host Configuration Protocol filter at the input or the output establishes a Dynamic Host Configuration Protocol packet for Internet Protocol Version 4 and/or for Internet Protocol Version 6 including Dynamic Host Configuration Protocol port 67 and/or port 68; or (ii) a Transmission Control Protocol or User Datagram Protocol filter at the input or the output establishes a Transmission Control Protocol or User Datagram Protocol Broadcast message for Internet Protocol Version 4 and/or for Internet Protocol Version 6; or (iii) a Precision Time Protocol filter at the input or the output establishes a Precision Time Protocol message, a time stamp, or sequence number, or correction field, being stored at least temporarily in the register for context information. 2. The method as recited in claim 1 , wherein the context information for the data packet is stored in the register when a deviation between the actual value and the setpoint value exists or exceeds the threshold value. 3. The method as recited in claim 1 , wherein updated context information for the data packet is determined, by the microprocessor, as a function of a result of the analysis and is stored in the register. 4. The method as recited in claim 1 , wherein the hardware filter includes a Ternary Content Addressable Memory, in which a mask for the setpoint value is stored, the actual value being compared with the mask stored in the Ternary Content Addressable Memory, and it being established as a function of the result of the comparison of the actual value with the mask whether or not a deviation exists. 5. The method as recited in claim 1 , wherein the setpoint value characterizes a hardware address, the actual value being determined at the input or the output as a function of data from a hardware address field of a data packet. 6. The method as recited in claim 5 , wherein the hardware address is a Medium Access Control address, and wherein the hardware address field is a Medium Access control address of the data packet. 7. The method as recited in claim 1 , wherein the setpoint value characterizes a Virtual Local Area Network, and the actual value is determined as a function of data, which characterize an association of a data packet at the input or the output with a Virtual Local Area Network. 8. The method as recited in claim 1 , wherein presence of a deviation is detected, either when the hardware filter at the input or the output for a tagged Virtual Logical Area Network establishes an untagged Virtual Logical Area Network data packet, or when the hardware filter at the input or the output for an untagged virtual logical area network establishes a tagged virtual logical area network data packet. 9. The method as recited in claim 1 , wherein the presence of a deviation is detected when the hardware filter establishes a data packet at the input or the output has an unknown Ethernet type, or a false checksum, or a false packet length, or a false packet structure. 10. A device for intrusion detection in a computer network, wherein the device a system on a chip system, which includes a hardware switch unit, a hardware filter, a register, and a computing device for the intrusion detection, the device being configured to: receive a data packet at an input of the hardware switch unit; select an output of the hardware switch unit for sending the data packet or a copy of the data packet as a function of security layer information from the data packet and as a function of a hardware address; determine, by the hardware switch unit, context information for the data packet; compare, by the hardware filter of the hardware switch unit, an actual value from a field of the data packet with a set point value for values from the field, the field including security layer data or mediation layer data; trigger an interrupt for the computing device as a function of a result of the comparison; carry out by the computing device, triggered by the interrupt, an analysis for detecting an intrusion pattern in a network traffic in the computer network as a function of the context information for the data packet; wherein the computer network is an automotive network; wherein the context information for the data packet, determined by the hardware switch unit, is stored in a register, a register access of the microprocessor to the register taking place for the analysis; and wherein presence of a deviation is detected when: (i) a Dynamic Host Configuration Protocol filter at the input or the output establishes a Dynamic Host Configuration Protocol packet for Internet Protocol Version 4 and/or for Internet Protocol Version 6 including Dynamic Host Configuration Protocol port 67 and/or port 68; or (ii) a Transmission Control Protocol or User Datagram Protocol filter at the input or the output establishes a Transmission Control Protocol or User Datagram Protocol Broadcast message for Internet Protocol Version 4 and/or for Internet Protocol Version 6; or (iii) a Precision Time Protocol filter at the input or the output establishes a Precision Time Protocol message, a time stamp, or sequence number, or correction field, being stored at least temporarily in the register for context information. 11. The device as recited in claim 10 , wherein the hardware switch unit is configured to store the context information for the data packet in the register when a deviation between the actual value and the setpoint value exists, or a threshold value is exceeded. 12. The device as recited in claim 10 , wherein the computing device is configured to determine updated context information for the data packet as a function of a result of the analysis and to store the determined updated context information for the data packet in the register. 13. The device as recited in claim 10 , wherein a Ternary Content Addressable Memory, and/or an Address Translation Unit, and/or a Virtual Local Area Network Translation Unit, and/or the Dynamic Host Configuration Protocol filter, and/or the Transmission Control Protocol or User Datagram Protocol filter, and/or the Precision Time Protocol filter, is the hardware filter and is configured to check the data packet for the intrusion detection and to provide the interrupt to the microprocessor for the intrusion detection as a function of the result of the check.