A Comprehensive Evaluation of Watermarking for Time Series Diffusion Models

Abstract

Many fields rely on scarce and sensitive time series data, such as patient health records. Privacy regulations often make sharing such data challenging, slowing research progress. Synthetic time series offer a potential solution by replicating statistical characteristics of real data without revealing private information. Yet, they introduce new risks, as synthetic data may be mistaken for real. Watermarking can mitigate this by embedding a machine-detectable signal that preserves data quality. For such methods to be effective, watermarks must be robust to removal attempts. Existing research lacks direct comparisons of generative models for time series synthesis and watermarking. Furthermore, they only evaluate watermark robustness against time-domain attacks. Attacks in other domains, such as the frequency domain, remain unexplored. In order to address these gaps, this thesis investigates three key questions. First, which generative models are best suited for time series synthesis. Second, whether latent diffusion models (LDMs) can support watermarking. Lastly, how robust existing diffusion watermarks are against adversarial attacks.

A comparative study between GPT-based models and diffusion models showed that diffusion models produce synthetic data of higher quality. LDMs were then evaluated as a potential alternative. Their reliance on a variational autoencoder led to low quality outputs. Hence, standard diffusion models were elected as the superior watermarking candidate. Finally, we introduced an extended set of time-, frequency-, and time-frequency domain attacks to asses watermark robustness. TimeWak emerged as the most robust watermark. However, our extended attack suite revealed new vulnerabilities in all watermarks, highlighting the importance of comprehensive robustness evaluations.