Suppose an adversarial example is recognized correctly by a human, yet a model recognizes it wrongly.
Therefore, the model uses other information than humans in order to classify, and the information it uses is wrong.
Therefore, the model needs to be trained ON THE ADVERSARIAL EXAMPLES in order to gain robustness.
Similarly to GANs using a classifier adversary for augmenting a generative network, one could use a generative adversary for augmenting a classifier network.
You can repeat until the adversarial examples look ambiguous even to a human.
Therefore, the model uses other information than humans in order to classify, and the information it uses is wrong.
Therefore, the model needs to be trained ON THE ADVERSARIAL EXAMPLES in order to gain robustness.
Similarly to GANs using a classifier adversary for augmenting a generative network, one could use a generative adversary for augmenting a classifier network.
You can repeat until the adversarial examples look ambiguous even to a human.