Augments training with adversarially perturbed examples. Models learn to be robust to small input perturbations. Improves security against adversarial attacks.