Device and method for anomaly detection in a communications network

What is claimed is: 1. A method for anomaly detection in an automotive communications network of a vehicle, the method comprising the following steps: observing at least two messages at a port of the automotive communications network; determining a property of a communication behavior of a network user as a function of the at least two messages, the network user including a first control unit of the automotive communications network; determining a deviation of the property from an expected property, wherein the expected property is determined based on a model that models a communication behavior between the network user and a second network user, the second network user including a second control unit of the automotive communications network, the expected property being a function of a static network architecture of the automotive communications network including the first control unit and the second control unit; and detecting a presence of an anomaly based on the deviation differing from an allowable deviation, wherein during the anomaly detection, a distinction is made between various system states in which the vehicle can potentially be in, the system states including (i) ignition on, (ii) engine idling, (iii) forward travel, (iv) reverse travel, and (v) vehicle diagnostics on; a system state of the vehicle being determined, and at least one of the expected property or the allowable deviation being determined as a function of the determined system state. 2. The method as recited in claim 1 , wherein a measure for the severity of the anomaly is determined as a function of at least one of: (i) the property of the communication behavior of the network user, (ii) the expected property, or (iii) the deviation, a response being determined as a function of the severity of the anomaly. 3. The method as recited in claim 2 , wherein the response is selected from a plurality of defined responses as a function of the severity of the anomaly. 4. The method as recited in claim 2 , wherein the response includes at least one of: a report to a central unit, discarding of a data packet of one of the messages, or a transition of the communications network into a secure state. 5. The method as recited in claim 1 , wherein the model is defined as a function of information concerning the static network architecture of the vehicle, the expected property being defined as a function of information concerning the static portion of the static network architecture. 6. The method as recited in claim 1 , wherein the expected property defines a ratio between a first data volume and a second data volume of data that are exchanged in a defined time period, first data packets or messages whose sender is the network user and whose receiver is the second network user defining the first data volume, and second data packets or messages whose sender is the second network user and whose receiver is the network user defining the second data volume. 7. The method as recited in claim 1 , wherein a measure for the deviation is determined at synchronous or asynchronous points in time, and the measure for the deviation is compared to a threshold value that defines the allowable deviation. 8. The method as recited in claim 1 , wherein the model defines the expected property as a function of a predefined sequence of a network protocol used in the communications network. 9. The method as recited in claim 1 , wherein the model defines a measure for data traffic that is aggregated by a counter or leaky bucket mechanism, per most recent time units and/or per communication user, the measure being a number of transferred data packets, or an average size of the transferred data packets, or an average number of the network connections, or an average data volume per network connection, or a number of the terminated network connections, or a response time, or a ratio between sent and received data. 10. The method as recited in claim 1 , wherein the deviation is determined as a function of information concerning a network protocol used by a network user, the network protocol being at least one of: Ethernet, IPv4/IPv6, TCP/UDP, SOME/IP, DDS, DoIP, or AVB. 11. A device for anomaly detection in an automotive communications network of a vehicle, the device comprising: a port; and a processing unit configured to: observe at least two messages at the port; determine a property of a communication behavior of a network user as a function of the at least two messages, the network user including a first control unit of the automotive communications network; determine a deviation of the property from an expected property, wherein the expected property is determined based on a model that models a communication behavior between the network user and a second network user, the second network user including a second control unit of the automotive communications network, the expected property being a function of a static network architecture of the automotive communications network including the first control unit and the second control unit; and detect a presence of an anomaly based on the deviation differing from an allowable deviation, wherein during the anomaly detection, a distinction is made between various system states in which the vehicle can potentially be in, the system states including (i) ignition on, (ii) engine idling, (iii) forward travel, (iv) reverse travel, and (v) vehicle diagnostics on; a system state of the vehicle being determined, and at least one of the expected property or the allowable deviation being determined as a function of the determined system state. 12. A non-transitory computer-readable memory medium on which is stored a computer program for anomaly detection in an automotive communications network of a vehicle, the computer program, when executed by a computer, causing the computer to perform the following steps: observing at least two messages at a port of the automotive communications network; determining a property of a communication behavior of a network user as a function of the at least two messages, the network user including a first control unit of the automotive communications network; determining a deviation of the property from an expected property, wherein the expected property is determined based on a model that models a communication behavior between the network user and a second network user, the second network user including a second control unit of the automotive communications network, the expected property being a function of a static network architecture of the automotive communications network including the first control unit and the second control unit; and detecting a presence of an anomaly based on the deviation differing from an allowable deviation, wherein during the anomaly detection, a distinction is made between various system states in which the vehicle can potentially be in, the system states including (i) ignition on, (ii) engine idling, (iii) forward travel, (iv) reverse travel, and (v) vehicle diagnostics on; a system state of the vehicle being determined, and at least one of the expected property or the allowable deviation being determined as a function of the determined system state. 13. The non-transitory computer-readable medium as recited in claim 12 , wherein the expected property defines a ratio between a first data volume and a second data volume of data that are exchanged in a defined time period, first data packets or messages whose sender is the network user and whose receiver is the second network user defining the first data volume, and second data packets or messages whose sender is the second network user and whose receiver is the network