Does host intrusion detection systems use heuristic based detection, which in turn uses a cipher key to determine if an alert should be triggered?